CVE-2026-28367 - A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` a

CVE-2026-4649 - Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows readi

CVE-2026-32642 - Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists wh

CVE-2026-33308 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for clien

CVE-2026-33307 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0,

CVE-2026-3533 - The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authori

CVE-2026-33071 - FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV u

CVE-2026-3547 - Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained

CVE-2026-27811 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-30911 - Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API

CVE-2026-28779 - Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regar

CVE-2026-28563 - Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependenc

CVE-2026-26929 - Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG au

CVE-2025-54920 - This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version

CVE-2016-20026 - ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that all

CVE-2026-23941 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP

CVE-2025-66249 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2025-60012 - Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apa

CVE-2026-3963 - A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function

CVE-2026-23907 - This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, f

CVE-2026-24713 - Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.

CVE-2026-24015 - A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0

CVE-2026-24308 - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all pla

CVE-2026-24281 - Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN

CVE-2025-40931 - Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::S

CVE-2026-27446 - Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache Activ

CVE-2025-66168 - Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow

CVE-2025-59060 - Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apa

CVE-2025-59059 - Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versi

CVE-2025-40932 - Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX genera

CVE-2026-27636 - FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version

CVE-2026-23984 - An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated us

CVE-2026-23983 - A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to re

CVE-2026-23982 - An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user

CVE-2026-23980 - Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in

CVE-2026-23969 - Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execut

CVE-2026-25747 - Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelD

CVE-2026-23552 - Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.  The

CVE-2026-27161 - GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files

CVE-2026-27134 - Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployme

CVE-2026-27133 - Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployme

CVE-2026-24734 - Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP

CVE-2026-24733 - Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests t

CVE-2025-66614 - Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 1

CVE-2026-25087 - Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 t

CVE-2026-25903 - Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on

CVE-2025-33042 - Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when

CVE-2026-26214 - Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname

CVE-2026-25999 - Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there

CVE-2026-24343 - Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache

CVE-2026-23906 - Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all ve

CVE-2026-23901 - Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from

CVE-2026-24098 - Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with per

CVE-2026-22922 - Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenti

CVE-2026-23903 - Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Sh

CVE-2026-24735 - Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. T

CVE-2026-23795 - Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An ad

CVE-2026-23794 - Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into

CVE-2020-36939 - Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attacke

CVE-2026-24807 - Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-

CVE-2026-24806 - Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plu

CVE-2026-1464 - Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apac

CVE-2016-15057 - ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Comm

CVE-2026-24656 - Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket

CVE-2025-27821 - Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Ha

CVE-2026-22444 - The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some AP

CVE-2026-22022 - Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin

CVE-2026-21962 - Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusi

CVE-2025-59355 - A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 de

CVE-2025-29847 - A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using

CVE-2026-23529 - Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Googl

CVE-2025-68675 - In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection

CVE-2025-68438 - In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_te

CVE-2025-60021 - Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all version

CVE-2026-22265 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.

CVE-2025-66169 - Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Cam

CVE-2025-68493 - Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Str

CVE-2025-62235 - Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Secur

CVE-2025-53477 - NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection compl

CVE-2025-53470 - Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could

CVE-2025-52435 - J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Imprope

CVE-2025-68280 - Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible

CVE-2025-66518 - Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-si

CVE-2025-48769 - Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that

CVE-2025-48768 - Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code

CVE-2025-47411 - A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creati