apache security advisories
60 threat alerts tracking vulnerabilities and security advisories that affect apache products.
Vulnios monitors apache CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent apache security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2026-49268 — apache — shiro
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN tem
criticalCVE-2026-49268Critical Vulnerability: CVE-2026-50203 — apache — apache-airflow-providers-sftp
A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destina
criticalCVE-2026-50203Critical Vulnerability: CVE-2026-32967 — apache — dolphinscheduler
Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to versio
criticalCVE-2026-32967Critical Vulnerability: CVE-2026-32966 — apache — dolphinscheduler
DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommen
criticalCVE-2026-32966Critical Vulnerability: CVE-2026-50627 — apache — cxf
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replaye
criticalCVE-2026-50627Critical Vulnerability: CVE-2026-50628 — apache — cxf
A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadve
criticalCVE-2026-50628Critical Vulnerability: CVE-2026-49875 — apache — cxf
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity reso
criticalCVE-2026-49875Critical Vulnerability: CVE-2026-45434 — apache — ofbiz
Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgra
criticalCVE-2026-45434Critical Vulnerability: CVE-2026-25199 — apache — cloudstack
Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmo
criticalCVE-2026-25199Critical Vulnerability: CVE-2026-40010 — apache — wicket
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0
criticalCVE-2026-40010Critical Vulnerability: CVE-2016-1000031 — apache — commons_fileupload
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
criticalCVE-2016-1000031Critical Vulnerability: CVE-2015-1832 — apache — derby
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary file
criticalCVE-2015-1832Critical Vulnerability: CVE-2016-5019 — apache — myfaces_trinidad
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a
criticalCVE-2016-5019Critical Vulnerability: CVE-2016-4436 — apache — struts
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
criticalCVE-2016-4436Critical Vulnerability: CVE-2016-4464 — apache — cxf_fediz
The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers
criticalCVE-2016-4464Critical Vulnerability: CVE-2016-4438 — apache — struts
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
criticalCVE-2016-4438Critical Vulnerability: CVE-2016-4432 — apache — qpid_broker-j
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to con
criticalCVE-2016-4432Critical Vulnerability: CVE-2016-3087 — apache — struts
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exc
criticalCVE-2016-3087Critical Vulnerability: CVE-2016-3082 — apache — struts
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
criticalCVE-2016-3082Critical Vulnerability: CVE-2016-0733 — apache — ranger
The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a va
criticalCVE-2016-0733Critical Vulnerability: CVE-2016-2170 — apache — ofbiz
Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections li
criticalCVE-2016-2170Critical Vulnerability: CVE-2015-3252 — apache — cloudstack
Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by connecting to the VNC server.
criticalCVE-2015-3252Critical Vulnerability: CVE-2015-5344 — apache — camel
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
criticalCVE-2015-5344Critical Vulnerability: CVE-2026-42027 — apache — opennlp
Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Cl
criticalCVE-2026-42027Critical Vulnerability: CVE-2026-40682 — apache — opennlp
XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor c
criticalCVE-2026-40682Critical Vulnerability: CVE-2026-42779 — apache — mina
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one
criticalCVE-2026-42779Critical Vulnerability: CVE-2026-42778 — apache — mina
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was inco
criticalCVE-2026-42778Critical Vulnerability: CVE-2026-41873 — apache — pony_mail
** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all v
criticalCVE-2026-41873Critical Vulnerability: CVE-2026-40860 — apache — camel
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() w
criticalCVE-2026-40860Critical Vulnerability: CVE-2026-41409 — apache — mina
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in
criticalCVE-2026-41409Critical Vulnerability: CVE-2026-41635 — apache — mina
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing
criticalCVE-2026-41635Critical Vulnerability: CVE-2026-33454 — apache — camel
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOut
criticalCVE-2026-33454Critical Vulnerability: CVE-2026-40453 — apache — camel
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecu
criticalCVE-2026-40453Critical Vulnerability: CVE-2026-33453 — apache — camel
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message h
criticalCVE-2026-33453Critical Vulnerability: CVE-2010-2076 — apache — cxf
Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not p
criticalCVE-2010-2076Critical Vulnerability: CVE-2026-33557 — apache — kafka
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.D
criticalCVE-2026-33557Critical Vulnerability: CVE-2026-42810 — apache — polaris
Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unes
criticalCVE-2026-42810Critical Vulnerability: CVE-2026-42809 — apache — polaris
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary creden
criticalCVE-2026-42809Critical Vulnerability: CVE-2026-42811 — apache — polaris
In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across t
criticalCVE-2026-42811Critical Vulnerability: CVE-2026-42812 — apache — polaris
In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table p
criticalCVE-2026-42812Critical Vulnerability: CVE-2017-15702 — apache — qpid_broker-j
In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remo
criticalCVE-2017-15702Critical Vulnerability: CVE-2017-12635 — apache — couchdb
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys f
criticalCVE-2017-12635Critical Vulnerability: CVE-2017-12633 — apache — camel
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security f
criticalCVE-2017-12633Critical Vulnerability: CVE-2017-12634 — apache — camel
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security fl
criticalCVE-2017-12634Critical Vulnerability: CVE-2013-4366 — apache — httpclient
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors inv
criticalCVE-2013-4366Critical Vulnerability: CVE-2012-4449 — apache — hadoop
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-depend
criticalCVE-2012-4449Critical Vulnerability: CVE-2014-0073 — apache — cordova_in-app-browser, cordova
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through
criticalCVE-2014-0073Critical Vulnerability: CVE-2014-3579 — apache — activemq_apollo
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML m
criticalCVE-2014-3579Critical Vulnerability: CVE-2016-5003 — apache — ws-xmlrpc
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
criticalCVE-2016-5003Critical Vulnerability: CVE-2014-3600 — apache — activemq
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML message
criticalCVE-2014-3600Critical Vulnerability: CVE-2012-1622 — apache — ofbiz
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
criticalCVE-2012-1622Critical Vulnerability: CVE-2015-3249 — apache — traffic_server
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary c
criticalCVE-2015-3249Critical Vulnerability: CVE-2014-3624 — apache — traffic_server
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
criticalCVE-2014-3624Critical Vulnerability: CVE-2017-5636 — apache — nifi
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could i
criticalCVE-2017-5636Critical Vulnerability: CVE-2016-8736 — apache — openmeetings
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
criticalCVE-2016-8736Critical Vulnerability: CVE-2014-0030 — apache — roller
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
criticalCVE-2014-0030Critical Vulnerability: CVE-2017-12620 — apache — opennlp
When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from un
criticalCVE-2017-12620Critical Vulnerability: CVE-2017-12621 — apache — commons_jelly
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instan
criticalCVE-2017-12621Critical Vulnerability: CVE-2016-6795 — apache — struts
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on
criticalCVE-2016-6795Critical Vulnerability: CVE-2017-12611 — apache — struts
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
criticalCVE-2017-12611
Showing the 60 most recent. Older alerts are archived but still reachable via search and the main feed.
Track apache exposure across your environment
Vulnios automatically cross-references your asset inventory against new apache CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan