VYPR

Vendor CVEs

Apache

All CVEs

2,550 total · sorted by risk
  • CVE-2015-3254MedJun 16, 2017
    risk 0.43cvss 6.5epss 0.05

    The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.

  • CVE-2015-5175HigJun 7, 2017
    risk 0.43cvss 7.5epss 0.11

    Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before 1.2.1 allow remote attackers to cause a denial of service.

  • CVE-2016-5004MedJun 6, 2017
    risk 0.43cvss 6.5epss 0.06

    The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes.

  • CVE-2017-5664HigJun 6, 2017
    risk 0.43cvss 7.5epss 0.17

    The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error…

  • CVE-2017-5647HigApr 17, 2017
    risk 0.43cvss 7.5epss 0.17

    A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous…

  • CVE-2016-6802HigSep 20, 2016
    risk 0.43cvss 7.5epss 0.10

    Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

  • CVE-2016-4433HigJul 4, 2016
    risk 0.43cvss 7.5epss 0.10

    Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

  • CVE-2016-4431HigJul 4, 2016
    risk 0.43cvss 7.5epss 0.10

    Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

  • CVE-2016-0784MedApr 11, 2016
    risk 0.43cvss 6.5epss 0.56

    Directory traversal vulnerability in the Import/Export System Backups functionality in Apache OpenMeetings before 3.1.1 allows remote authenticated administrators to write to arbitrary files via a .. (dot dot) in a ZIP archive entry.

  • CVE-2014-3576HigAug 14, 2015
    risk 0.43cvss 7.5epss 0.13

    The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.

  • CVE-2009-2699HigOct 13, 2009
    risk 0.43cvss 7.5epss 0.14

    The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a…

  • CVE-2004-0174HigMay 4, 2004
    risk 0.43cvss 7.5epss 0.12

    Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."

  • CVE-2026-53917modJun 30, 2026
    risk 0.42cvss 6.5epss

    activemq: activemq-all: activemq-client: activemq-broker: Apache ActiveMQ: Denial of Service via crafted OpenWire Message

  • CVE-2026-53404modJun 29, 2026
    risk 0.42cvss 6.5epss 0.00

    Apache Tomcat: Apache Tomcat: Incorrect control flow in rewrite valve allows unexpected rule processing

  • CVE-2026-57914modJun 26, 2026
    risk 0.42cvss 6.5epss 0.00

    apache-kerby: org.apache.kerby/kerby-asn1: Apache Kerby: Denial of Service via deeply nested ASN.1 structure

  • CVE-2026-50634MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata…

  • CVE-2026-50630MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm…

  • CVE-2026-49975HigJun 8, 2026
    risk 0.42cvss 7.5epss 0.11

    Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

  • CVE-2026-42536HigJun 8, 2026
    risk 0.42cvss 7.5epss 0.01

    Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

  • CVE-2026-34356HigJun 8, 2026
    risk 0.42cvss 7.5epss 0.01

    Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

  • CVE-2026-34355HigJun 8, 2026
    risk 0.42cvss 7.5epss 0.01

    A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

  • CVE-2026-46718MedJun 2, 2026
    risk 0.42cvss 6.5epss 0.00

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue.

  • CVE-2026-49361HigJun 1, 2026
    risk 0.42cvss 7.5epss 0.01

    Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame…

  • CVE-2026-41084HigJun 1, 2026
    risk 0.42cvss 7.5epss 0.00

    A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity…

  • CVE-2025-48977MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.01

    Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to…

  • CVE-2026-43828MedMay 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the…

  • CVE-2026-43827MedMay 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions,…

  • CVE-2026-45187MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.01

    Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-35086MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-31380MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-31378MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.01

    Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-29220MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-29207MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.01

    Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data…

  • CVE-2026-43513HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older…

  • CVE-2026-41284HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.01

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are…

  • CVE-2025-69233MedMay 8, 2026
    risk 0.42cvss 6.5epss 0.00

    Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to…

  • CVE-2025-66171MedMay 8, 2026
    risk 0.42cvss 6.5epss 0.01

    The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any…

  • CVE-2025-66170MedMay 8, 2026
    risk 0.42cvss 6.5epss 0.00

    The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account…

  • CVE-2026-29169HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.01

    A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from…

  • CVE-2026-34059HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.00

    Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

  • CVE-2026-42404MedMay 1, 2026
    risk 0.42cvss 6.5epss 0.01

    Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and…

  • CVE-2026-41636HigApr 28, 2026
    risk 0.42cvss 7.5epss 0.00

    Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2026-41602HigApr 28, 2026
    risk 0.42cvss 7.5epss 0.01

    Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2025-48431HigApr 28, 2026
    risk 0.42cvss 7.5epss 0.01

    Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an…

  • CVE-2026-41043MedApr 24, 2026
    risk 0.42cvss 6.5epss 0.01

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead…

  • CVE-2026-6857HigApr 22, 2026
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows…

  • CVE-2026-32228HigApr 18, 2026
    risk 0.42cvss 7.5epss 0.00

    UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

  • CVE-2026-30912HigApr 18, 2026
    risk 0.42cvss 7.5epss 0.00

    In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

  • CVE-2026-31987HigApr 16, 2026
    risk 0.42cvss 7.5epss 0.01

    JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

  • CVE-2026-30778HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.01

    The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Page 9 of 51