CVE-2026-57915 - It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA

CVE-2025-64152 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2025-55017 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2026-57914 - By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trig

CVE-2026-49486 - The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but n

CVE-2026-48946 - The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's

CVE-2026-56130 - "Remember me" cookie age is not verified on the server. This potentially allows an attacker to inter

CVE-2026-56091 - When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HT

CVE-2026-54226 - A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0. U

CVE-2026-46752 - Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache

CVE-2026-46751 - A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0. U

CVE-2026-45188 - Relative Path Traversal vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.

CVE-2026-41566 - Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This i

CVE-2026-54665 - Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request hea

CVE-2026-44914 - Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that includ

CVE-2026-44913 - Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache N

CVE-2026-44911 - Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 throu

CVE-2025-66336 - Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-cont

CVE-2025-62198 - An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier.

CVE-2026-49872 - Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route

CVE-2026-49871 - Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations.

CVE-2026-49231 - Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed iden

CVE-2026-49230 - Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin

CVE-2026-48895 - URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker co

CVE-2026-47341 - Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from c

CVE-2026-47339 - Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor

CVE-2026-44915 - URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default con

CVE-2026-44087 - Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect p

CVE-2026-44046 - Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac

CVE-2026-39999 - Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypas

CVE-2026-39998 - Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certai

CVE-2026-49257 - mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. I

CVE-2026-49268 - A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction i

CVE-2026-50203 - A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`

CVE-2026-47340 - Allow authenticated users to access alert instances associated with alert groups they do not have pe

CVE-2026-42357 - Incorrect Authorization vulnerability allows users to access workflow instance information belonging

CVE-2026-41280 - Incorrect Authorization vulnerability allows users with system login privileges to delete task defin

CVE-2026-32967 - Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. T

CVE-2026-32966 - DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apa

CVE-2026-50645 - There is no restriction on the amount of attachment headers that a message can contain when being de

CVE-2026-50634 - A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to proce

CVE-2026-50633 - A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can

CVE-2026-50632 - A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lea

CVE-2026-50627 - The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of inc

CVE-2026-50623 - An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF.

CVE-2026-49875 - Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory w

CVE-2026-41000 - Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestDa

CVE-2026-40996 - Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J'

CVE-2026-50223 - Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low

CVE-2026-47342 - A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to o

CVE-2026-45569 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45567 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45566 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45565 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-25700 - Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affect

CVE-2026-45564 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45563 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45561 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45560 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45559 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45558 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45556 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45552 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45550 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-45549 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8

CVE-2026-41732 - JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning t

CVE-2026-41731 - JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trust

CVE-2026-41727 - Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header value

CVE-2026-41726 - When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap withou

CVE-2026-49818 - The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destinat

CVE-2026-34905 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This iss

CVE-2026-34033 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apach

CVE-2026-34031 - Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects

CVE-2026-33582 - Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects

CVE-2026-25699 - Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. T

CVE-2026-25688 - Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects

CVE-2026-49975 - Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to

CVE-2026-48913 - Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already ex

CVE-2026-44631 - Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configur

CVE-2026-44186 - Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in

CVE-2026-44185 - Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker contr

CVE-2026-44119 - Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .h

CVE-2026-43951 - Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple re

CVE-2026-42536 - Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and

CVE-2026-42535 - A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to d

CVE-2026-34356 - Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and Pr

CVE-2026-34355 - A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an

CVE-2026-29170 - A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apa

CVE-2026-29167 - Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration Thi

CVE-2026-50076 - Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK

CVE-2026-45080 - Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4

CVE-2026-44367 - Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4

CVE-2026-46718 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in

CVE-2026-41115 - An improper authorization vulnerability has been identified in Apache Kafka. The implementation of

CVE-2026-49328 - Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) f

CVE-2026-49361 - Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.M

CVE-2026-49298 - A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate a

CVE-2026-49270 - Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache A

CVE-2026-49267 - Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STA

CVE-2026-49157 - Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ:

CVE-2026-48827 - Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upl

CVE-2026-48726 - A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after

CVE-2026-46764 - The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit

CVE-2026-46605 - Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authent

CVE-2026-45505 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-45426 - Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log

CVE-2026-45360 - Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_r

CVE-2026-44825 - Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr v

CVE-2026-42588 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-42360 - A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g.

CVE-2026-42359 - A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authentic

CVE-2026-42358 - A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-

CVE-2026-42253 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-42252 - Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when tr

CVE-2026-41084 - A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_

CVE-2026-41017 - Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deploy

CVE-2026-41014 - The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not p

CVE-2026-40963 - The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Da

CVE-2026-40961 - A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that b

CVE-2026-40861 - A Dag author could either (a) create a symlink under their task's log directory pointing to an arbit

CVE-2026-45192 - A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed a

CVE-2026-48557 - Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in Fil

CVE-2026-40914 - A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with securi

CVE-2025-48977 - Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can r

CVE-2026-44966 - Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earl

CVE-2026-40564 - Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerabilit

CVE-2026-48589 - Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect aft

CVE-2026-44598 - With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Reque

CVE-2026-43828 - Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attr

CVE-2026-43827 - Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Ap

CVE-2026-42797 - Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administ

CVE-2026-42782 - Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with a

CVE-2026-46745 - Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows

CVE-2026-45249 - A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rend

CVE-2026-44930 - An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF

CVE-2026-44618 - Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform

CVE-2026-44417 - The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete

CVE-2026-48207 - Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass docu

CVE-2026-45760 - (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through Use

CVE-2026-47323 - Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knat

CVE-2026-46586 - Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in

CVE-2026-45434 - Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remo

CVE-2026-45187 - Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: bef

CVE-2026-41919 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability i

CVE-2026-35086 - Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache

CVE-2026-31986 - Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz:

CVE-2026-31910 - Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz:

CVE-2026-31909 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issu

CVE-2026-31906 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-31388 - Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affec

CVE-2026-31387 - Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.0

CVE-2026-31380 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La

CVE-2026-31379 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limit

CVE-2026-31378 - Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24

CVE-2026-29226 - Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations.

CVE-2026-29220 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2026-29207 - Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.

CVE-2018-25324 - Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that

CVE-2026-41258 - OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and

CVE-2026-35194 - Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x al

CVE-2026-8503 - Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apac

CVE-2026-45205 - Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration

CVE-2026-42268 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS

CVE-2026-43515 - Improper Authorization vulnerability when multiple method constraints define an HTTP method for the

CVE-2026-43514 - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue

CVE-2026-43513 - Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue af

CVE-2026-43512 - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. T

CVE-2026-42498 - Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerabi

CVE-2026-41293 - Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11

CVE-2026-41284 - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue aff

CVE-2026-43826 - The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for exam

CVE-2026-6722 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.

CVE-2026-39816 - The optional extension component TinkerpopClientService is missing the Restricted annotation with th

CVE-2026-25199 - Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to oth

CVE-2026-25077 - Account users are allowed by default to register templates to be downloaded directly to the primary

CVE-2025-69233 - Due to multiple time-of-check time-of-use race conditions in the resource count check and increment

CVE-2025-66467 - Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access

CVE-2013-10075 - Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apac

CVE-2026-42241 - ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to

CVE-2026-41930 - Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-a

CVE-2026-5081 - Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are inse

CVE-2026-43975 - FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter

CVE-2026-43646 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This iss

CVE-2026-42509 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-40010 - Missing invocation of Servlet http web request method changeSessionId after session binding can be e

CVE-2026-40075 - OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earl

CVE-2026-28780 - Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp co

CVE-2026-30923 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS

CVE-2026-29168 - Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md v

CVE-2026-43870 - Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversa

CVE-2026-43868 - Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apac

CVE-2026-43869 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue af

CVE-2026-42812 - In Apache Iceberg, the table's metadata files are control files: they tell readers which data files

CVE-2026-42809 - Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation

CVE-2026-42440 - OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Version

CVE-2026-42027 - Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Aff

CVE-2026-40682 - XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersis

CVE-2026-40563 - Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas

CVE-2026-33523 - HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compr

CVE-2026-33007 - A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows

CVE-2026-33006 - A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authe

CVE-2026-29169 - A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an att

CVE-2026-23918 - Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This iss

CVE-2026-34032 - Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affec

CVE-2026-33857 - Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apach

CVE-2026-34059 - Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: throug

CVE-2026-24072 - An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .ht

CVE-2026-42779 - The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original is

CVE-2026-42778 - The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original is

CVE-2026-42404 - Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy referenc

CVE-2026-42403 - Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy d

CVE-2026-42402 - Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy n

CVE-2026-41016 - Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL c

CVE-2026-41636 - Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Th

CVE-2026-41607 - Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0.

CVE-2026-41606 - Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.2

CVE-2026-41605 - Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: be

CVE-2026-41604 - Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0.

CVE-2026-41603 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue af

CVE-2026-41602 - Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implement

CVE-2025-48431 - Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This

CVE-2026-41081 - Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in

CVE-2026-40557 - Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

CVE-2026-33453 - Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apac

CVE-2026-27172 - The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegi

CVE-2026-41409 - The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname

CVE-2026-40858 - The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data r

CVE-2026-40022 - When authentication is enabled on the Apache Camel embedded HTTP server or embedded management serve

CVE-2026-33454 - The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter s

CVE-2026-41635 - Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes

CVE-2026-40860 - JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, des

CVE-2026-40473 - The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in

CVE-2026-40048 - The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in

CVE-2026-39920 - BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administ

CVE-2026-23902 - Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with sys

CVE-2026-41044 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-41043 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apach

CVE-2026-40466 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2025-62233 - Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue a

CVE-2026-33208 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-33078 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prio

CVE-2026-33077 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-33076 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-4132 - The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading

CVE-2026-2717 - The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and inc

CVE-2026-40542 - Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the cli

CVE-2026-33432 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions u

CVE-2026-33431 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-6257 - Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functional

CVE-2026-33558 - Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component