CVE-2026-49818 - The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destinat

CVE-2026-34905 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This iss

CVE-2026-34033 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apach

CVE-2026-34031 - Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects

CVE-2026-33582 - Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects

CVE-2026-25699 - Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. T

CVE-2026-25688 - Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects

CVE-2026-49975 - Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to

CVE-2026-48913 - Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already ex

CVE-2026-44631 - Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configur

CVE-2026-44186 - Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in

CVE-2026-44185 - Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker contr

CVE-2026-44119 - Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .h

CVE-2026-43951 - Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple re

CVE-2026-42536 - Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and

CVE-2026-42535 - A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to d

CVE-2026-34356 - Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and Pr

CVE-2026-34355 - A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an

CVE-2026-29170 - A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apa

CVE-2026-29167 - Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration Thi

CVE-2026-50076 - Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK

CVE-2026-45080 - Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4

CVE-2026-44367 - Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4

CVE-2026-46718 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in

CVE-2026-41115 - An improper authorization vulnerability has been identified in Apache Kafka. The implementation of

CVE-2026-49328 - Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) f

CVE-2026-49361 - Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.M

CVE-2026-49298 - A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate a

CVE-2026-49270 - Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache A

CVE-2026-49267 - Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STA

CVE-2026-49157 - Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ:

CVE-2026-48827 - Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upl

CVE-2026-48726 - A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after

CVE-2026-46764 - The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit

CVE-2026-46605 - Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authent

CVE-2026-45505 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-45426 - Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log

CVE-2026-45360 - Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_r

CVE-2026-44825 - Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr v

CVE-2026-42588 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-42360 - A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g.

CVE-2026-42359 - A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authentic

CVE-2026-42358 - A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-

CVE-2026-42253 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-42252 - Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when tr

CVE-2026-41084 - A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_

CVE-2026-41017 - Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deploy

CVE-2026-41014 - The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not p

CVE-2026-40963 - The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Da

CVE-2026-40961 - A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that b

CVE-2026-40861 - A Dag author could either (a) create a symlink under their task's log directory pointing to an arbit

CVE-2026-45192 - A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed a

CVE-2026-48557 - Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in Fil

CVE-2026-40914 - A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with securi

CVE-2025-48977 - Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can r

CVE-2026-44966 - Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earl

CVE-2026-40564 - Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerabilit

CVE-2026-48589 - Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect aft

CVE-2026-44598 - With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Reque

CVE-2026-43828 - Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attr

CVE-2026-43827 - Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Ap

CVE-2026-42797 - Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administ

CVE-2026-42782 - Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with a

CVE-2026-46745 - Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows

CVE-2026-45249 - A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rend

CVE-2026-44930 - An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF

CVE-2026-44618 - Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform

CVE-2026-44417 - The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete

CVE-2026-48207 - Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass docu

CVE-2026-45760 - (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through Use

CVE-2026-47323 - Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knat

CVE-2026-46586 - Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in

CVE-2026-45434 - Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remo

CVE-2026-45187 - Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: bef

CVE-2026-41919 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability i

CVE-2026-35086 - Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache

CVE-2026-31986 - Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz:

CVE-2026-31910 - Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz:

CVE-2026-31909 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issu

CVE-2026-31906 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-31388 - Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affec

CVE-2026-31387 - Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.0

CVE-2026-31380 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La

CVE-2026-31379 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limit

CVE-2026-31378 - Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24

CVE-2026-29226 - Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations.

CVE-2026-29220 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2026-29207 - Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.

CVE-2018-25324 - Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that

CVE-2026-41258 - OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and

CVE-2026-35194 - Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x al

CVE-2026-8503 - Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apac

CVE-2026-45205 - Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration

CVE-2026-42268 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS

CVE-2026-43515 - Improper Authorization vulnerability when multiple method constraints define an HTTP method for the

CVE-2026-43514 - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue

CVE-2026-43513 - Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue af

CVE-2026-43512 - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. T

CVE-2026-42498 - Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerabi

CVE-2026-41293 - Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11

CVE-2026-41284 - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue aff

CVE-2026-43826 - The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for exam

CVE-2026-6722 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.

CVE-2026-39816 - The optional extension component TinkerpopClientService is missing the Restricted annotation with th

CVE-2026-25199 - Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to oth

CVE-2026-25077 - Account users are allowed by default to register templates to be downloaded directly to the primary

CVE-2025-69233 - Due to multiple time-of-check time-of-use race conditions in the resource count check and increment

CVE-2025-66467 - Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access

CVE-2013-10075 - Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apac

CVE-2026-42241 - ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to

CVE-2026-41930 - Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-a

CVE-2026-5081 - Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are inse

CVE-2026-43975 - FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter

CVE-2026-43646 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This iss

CVE-2026-42509 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-40010 - Missing invocation of Servlet http web request method changeSessionId after session binding can be e

CVE-2026-40075 - OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earl

CVE-2026-28780 - Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp co

CVE-2026-30923 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS

CVE-2026-29168 - Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md v

CVE-2026-43870 - Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversa

CVE-2026-43868 - Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apac

CVE-2026-43869 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue af

CVE-2026-42812 - In Apache Iceberg, the table's metadata files are control files: they tell readers which data files

CVE-2026-42809 - Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation

CVE-2026-42440 - OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Version

CVE-2026-42027 - Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Aff

CVE-2026-40682 - XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersis

CVE-2026-40563 - Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas

CVE-2026-33523 - HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compr

CVE-2026-33007 - A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows

CVE-2026-33006 - A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authe

CVE-2026-29169 - A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an att

CVE-2026-23918 - Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This iss

CVE-2026-34032 - Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affec

CVE-2026-33857 - Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apach

CVE-2026-34059 - Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: throug

CVE-2026-24072 - An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .ht

CVE-2026-42779 - The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original is

CVE-2026-42778 - The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original is

CVE-2026-42404 - Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy referenc

CVE-2026-42403 - Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy d

CVE-2026-42402 - Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy n

CVE-2026-41016 - Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL c

CVE-2026-41636 - Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Th

CVE-2026-41607 - Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0.

CVE-2026-41606 - Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.2

CVE-2026-41605 - Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: be

CVE-2026-41604 - Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0.

CVE-2026-41603 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue af

CVE-2026-41602 - Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implement

CVE-2025-48431 - Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This

CVE-2026-41081 - Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in

CVE-2026-40557 - Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter

CVE-2026-33453 - Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apac

CVE-2026-27172 - The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegi

CVE-2026-41409 - The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname

CVE-2026-40858 - The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data r

CVE-2026-40022 - When authentication is enabled on the Apache Camel embedded HTTP server or embedded management serve

CVE-2026-33454 - The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter s

CVE-2026-41635 - Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes

CVE-2026-40860 - JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, des

CVE-2026-40473 - The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in

CVE-2026-40048 - The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in

CVE-2026-39920 - BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administ

CVE-2026-23902 - Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with sys

CVE-2026-41044 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-41043 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apach

CVE-2026-40466 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2025-62233 - Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue a

CVE-2026-33208 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-33078 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prio

CVE-2026-33077 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-33076 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-4132 - The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading

CVE-2026-2717 - The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and inc

CVE-2026-40542 - Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the cli

CVE-2026-33432 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions u

CVE-2026-33431 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-6257 - Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functional

CVE-2026-33558 - Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component

CVE-2026-33557 - A possible security vulnerability has been identified in Apache Kafka. By default, the broker prope

CVE-2025-66335 - Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw

CVE-2026-40948 - The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or valid

CVE-2026-32690 - Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables

CVE-2026-30912 - In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_

CVE-2026-25917 - Dag Authors, who normally should not be able to execute code in the webserver context could craft XC

CVE-2026-30778 - The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of M

CVE-2026-5088 - Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts.

CVE-2026-33929 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2026-31924 - Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls l

CVE-2026-31923 - Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due

CVE-2026-31908 - Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configu

CVE-2026-33858 - Dag Authors, who normally should not be able to execute code in the webserver context could craft XC

CVE-2025-66236 - Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager

CVE-2026-34476 - Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue af

CVE-2026-35565 - Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Af

CVE-2026-35337 - Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6.

CVE-2026-33704 - Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including stu

CVE-2026-40023 - Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayou

CVE-2026-40021 - Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#lay

CVE-2026-34481 - Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.

CVE-2026-34480 - Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout ,

CVE-2026-34479 - The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden b

CVE-2026-34478 - Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424L

CVE-2026-34477 - The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete:

CVE-2026-39304 - Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker,

CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled a

CVE-2026-34487 - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clusterin

CVE-2026-34486 - Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-2914

CVE-2026-34483 - Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache

CVE-2026-32990 - Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled v

CVE-2026-29129 - Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects

CVE-2026-25854 - Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via th

CVE-2026-24880 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Ap

CVE-2026-40046 - Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveM

CVE-2026-39962 - MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutraliz

CVE-2026-34020 - Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The RE

CVE-2026-33266 - Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie en

CVE-2026-33005 - Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered u

CVE-2026-34538 - Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to

CVE-2025-62188 - An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache Dolphin

CVE-2026-35573 - ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability

CVE-2026-32588 - Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise quer

CVE-2026-27315 - Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information,

CVE-2026-27314 - Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator all

CVE-2026-35554 - A race condition in the Apache Kafka Java producer client’s buffer pool management can cause message

CVE-2026-34197 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-33227 - Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Cli

CVE-2019-25671 - VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to e

CVE-2025-65114 - Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affec

CVE-2025-58136 - A bug in POST request handling causes a crash under a certain condition. This issue affects Apache

CVE-2026-34381 - Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admi

CVE-2026-32794 - Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider co

CVE-2026-4649 - Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows readi

CVE-2026-32642 - Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists wh

CVE-2026-33308 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for clien

CVE-2026-33307 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0,

CVE-2026-3533 - The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authori

CVE-2026-33071 - FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV u

CVE-2026-3547 - Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained