CVE-2026-45205 - Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration

CVE-2026-42268 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS

CVE-2026-43515 - Improper Authorization vulnerability when multiple method constraints define an HTTP method for the

CVE-2026-43514 - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue

CVE-2026-43513 - Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue af

CVE-2026-43512 - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. T

CVE-2026-42498 - Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerabi

CVE-2026-41293 - Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11

CVE-2026-41284 - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue aff

CVE-2026-43826 - The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for exam

CVE-2026-41018 - The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for e

CVE-2026-6722 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.

CVE-2026-39816 - The optional extension component TinkerpopClientService is missing the Restricted annotation with th

CVE-2026-25199 - Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to oth

CVE-2026-25077 - Account users are allowed by default to register templates to be downloaded directly to the primary

CVE-2025-69233 - Due to multiple time-of-check time-of-use race conditions in the resource count check and increment

CVE-2025-66467 - Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access

CVE-2013-10075 - Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apac

CVE-2026-33844 - Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attack

CVE-2026-33109 - Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker

CVE-2026-42241 - ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to

CVE-2026-41930 - Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-a

CVE-2026-5081 - Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are inse

CVE-2026-43975 - FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter

CVE-2026-43646 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This iss

CVE-2026-42509 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-40010 - Missing invocation of Servlet http web request method changeSessionId after session binding can be e

CVE-2026-40075 - OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earl

CVE-2026-28780 - Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp co

CVE-2026-30923 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS

CVE-2026-29168 - Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md v

CVE-2026-43870 - Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversa

CVE-2026-43868 - Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apac

CVE-2026-43869 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue af

CVE-2026-42812 - In Apache Iceberg, the table's metadata files are control files: they tell readers which data files

CVE-2026-42811 - In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for o

CVE-2026-42810 - Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds tem

CVE-2026-42809 - Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation

CVE-2026-42440 - OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Version

CVE-2026-42027 - Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Aff

CVE-2026-40682 - XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersis

CVE-2026-40563 - Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas

CVE-2026-33523 - HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compr

CVE-2026-33007 - A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows

CVE-2026-33006 - A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authe

CVE-2026-29169 - A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an att

CVE-2026-23918 - Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This iss

CVE-2026-34032 - Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affec

CVE-2026-33857 - Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apach

CVE-2026-34059 - Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: throug

CVE-2026-24072 - An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .ht

CVE-2026-42779 - The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original is

CVE-2026-42778 - The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original is

CVE-2026-42404 - Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy referenc

CVE-2026-42403 - Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy d

CVE-2026-42402 - Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy n

CVE-2026-41016 - Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL c

CVE-2026-41636 - Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Th

CVE-2026-41607 - Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0.

CVE-2026-41606 - Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.2

CVE-2026-41605 - Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: be

CVE-2026-41604 - Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0.

CVE-2026-41603 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue af

CVE-2026-41602 - Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implement

CVE-2025-48431 - Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This

CVE-2026-41081 - Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in

CVE-2026-40557 - Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

CVE-2026-33453 - Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apac

CVE-2026-27172 - The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegi

CVE-2026-41409 - The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname

CVE-2026-40858 - The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data r

CVE-2026-40022 - When authentication is enabled on the Apache Camel embedded HTTP server or embedded management serve

CVE-2026-33454 - The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter s

CVE-2026-41635 - Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes

CVE-2026-40860 - JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, des

CVE-2026-40473 - The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in

CVE-2026-40453 - The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant

CVE-2026-40048 - The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in

CVE-2026-39920 - BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administ

CVE-2026-23902 - Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with sys

CVE-2026-41044 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-41043 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apach

CVE-2026-40466 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2025-62233 - Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue a

CVE-2026-33208 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-33078 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prio

CVE-2026-33077 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-33076 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-4132 - The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading

CVE-2026-2717 - The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and inc

CVE-2026-40542 - Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the cli

CVE-2026-33432 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions u

CVE-2026-33431 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-6257 - Vvveb CMS prior to v1.0.8.2 contains a remote code execution vulnerability in its media management f

CVE-2026-33558 - Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component

CVE-2026-33557 - A possible security vulnerability has been identified in Apache Kafka. By default, the broker prope

CVE-2025-66335 - Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw

CVE-2026-40948 - The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or valid

CVE-2026-32690 - Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables

CVE-2026-30912 - In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_

CVE-2026-25917 - Dag Authors, who normally should not be able to execute code in the webserver context could craft XC

CVE-2026-30778 - The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of M

CVE-2026-5088 - Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts.

CVE-2026-33929 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2026-31924 - Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls l

CVE-2026-31923 - Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due

CVE-2026-31908 - Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configu

CVE-2026-33858 - Dag Authors, who normally should not be able to execute code in the webserver context could craft XC

CVE-2025-66236 - Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager

CVE-2026-34476 - Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue af

CVE-2026-35565 - Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Af

CVE-2026-35337 - Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6.

CVE-2026-33704 - Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including stu

CVE-2026-40023 - Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayou

CVE-2026-40021 - Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#lay

CVE-2026-34481 - Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.

CVE-2026-34480 - Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout ,

CVE-2026-34479 - The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden b

CVE-2026-34478 - Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424L

CVE-2026-34477 - The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete:

CVE-2026-39304 - Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker,

CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled a

CVE-2026-34487 - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clusterin

CVE-2026-34486 - Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-2914

CVE-2026-34483 - Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache

CVE-2026-32990 - Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

CVE-2026-29146 - Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This

CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled v

CVE-2026-29129 - Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects

CVE-2026-25854 - Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via th

CVE-2026-24880 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Ap

CVE-2026-40046 - Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveM

CVE-2026-39962 - MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutraliz

CVE-2026-34020 - Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The RE

CVE-2026-33266 - Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie en

CVE-2026-33005 - Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered u

CVE-2026-34538 - Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to

CVE-2025-62188 - An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache Dolphin

CVE-2026-35573 - ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability

CVE-2026-32588 - Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise quer

CVE-2026-27315 - Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information,

CVE-2026-27314 - Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator all

CVE-2026-35554 - A race condition in the Apache Kafka Java producer client’s buffer pool management can cause message

CVE-2026-34197 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-33227 - Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Cli

CVE-2019-25671 - VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to e

CVE-2025-65114 - Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affec

CVE-2025-58136 - A bug in POST request handling causes a crash under a certain condition. This issue affects Apache

CVE-2026-34381 - Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admi

CVE-2026-32794 - Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider co

CVE-2026-28367 - A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` a

CVE-2026-4649 - Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows readi

CVE-2026-32642 - Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists wh

CVE-2026-33308 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for clien

CVE-2026-33307 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0,

CVE-2026-3533 - The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authori

CVE-2026-33071 - FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV u

CVE-2026-3547 - Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained

CVE-2026-27811 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-30911 - Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API

CVE-2026-28779 - Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regar

CVE-2026-28563 - Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependenc

CVE-2026-26929 - Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG au

CVE-2025-54920 - This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version

CVE-2016-20026 - ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that all

CVE-2026-23941 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP

CVE-2025-66249 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2025-60012 - Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apa

CVE-2026-3963 - A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function

CVE-2026-23907 - This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, f

CVE-2026-24713 - Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.

CVE-2026-24015 - A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0

CVE-2026-24308 - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all pla

CVE-2026-24281 - Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN

CVE-2025-40931 - Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::S

CVE-2026-27446 - Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache Activ

CVE-2025-66168 - WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releas

CVE-2025-59060 - Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apa

CVE-2025-59059 - Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versi

CVE-2025-40932 - Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX genera

CVE-2026-27636 - FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version

CVE-2026-23984 - An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated us

CVE-2026-23983 - A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to re

CVE-2026-23982 - An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user

CVE-2026-23980 - Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in

CVE-2026-23969 - Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execut

CVE-2026-25747 - Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelD

CVE-2026-23552 - Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.  The

CVE-2026-27161 - GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files

CVE-2026-27134 - Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployme

CVE-2026-27133 - Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployme

CVE-2026-24734 - Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP

CVE-2026-24733 - Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests t

CVE-2025-66614 - Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 1

CVE-2026-25087 - Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 t

CVE-2026-25903 - Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on