CVE-2026-33929 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2026-31924 - Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls l

CVE-2026-31923 - Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due

CVE-2026-31908 - Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configu

CVE-2026-33858 - Dag Authors, who normally should not be able to execute code in the webserver context could craft XC

CVE-2025-66236 - Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager

CVE-2026-34476 - Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue af

CVE-2026-35565 - Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Af

CVE-2026-35337 - Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6.

CVE-2026-33704 - Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including stu

CVE-2026-40023 - Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayou

CVE-2026-40021 - Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#lay

CVE-2026-34481 - Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.

CVE-2026-34480 - Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout ,

CVE-2026-34479 - The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden b

CVE-2026-34478 - Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424L

CVE-2026-34477 - The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete:

CVE-2026-39304 - Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker,

CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled a

CVE-2026-34487 - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clusterin

CVE-2026-34486 - Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-2914

CVE-2026-34483 - Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache

CVE-2026-32990 - Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled v

CVE-2026-29129 - Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects

CVE-2026-25854 - Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via th

CVE-2026-24880 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Ap

CVE-2026-40046 - Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveM

CVE-2026-39962 - MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutraliz

CVE-2026-34020 - Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The RE

CVE-2026-33266 - Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie en

CVE-2026-33005 - Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered u

CVE-2026-34538 - Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to

CVE-2025-62188 - An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache Dolphin

CVE-2026-35573 - ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability

CVE-2026-32588 - Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise quer

CVE-2026-27315 - Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information,

CVE-2026-27314 - Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator all

CVE-2026-35554 - A race condition in the Apache Kafka Java producer client’s buffer pool management can cause message

CVE-2026-34197 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i

CVE-2026-33227 - Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Cli

CVE-2019-25671 - VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to e

CVE-2025-65114 - Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affec

CVE-2025-58136 - A bug in POST request handling causes a crash under a certain condition. This issue affects Apache

CVE-2026-34381 - Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admi

CVE-2026-32794 - Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider co

CVE-2026-4649 - Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows readi

CVE-2026-32642 - Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists wh

CVE-2026-33308 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for clien

CVE-2026-33307 - Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0,

CVE-2026-3533 - The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authori

CVE-2026-33071 - FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV u

CVE-2026-3547 - Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained

CVE-2026-27811 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to vers

CVE-2026-30911 - Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API

CVE-2026-28779 - Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regar

CVE-2026-28563 - Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependenc

CVE-2026-26929 - Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG au

CVE-2025-54920 - This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version

CVE-2016-20026 - ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that all

CVE-2026-23941 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP

CVE-2025-66249 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apac

CVE-2025-60012 - Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apa

CVE-2026-3963 - A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function

CVE-2026-23907 - This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, f

CVE-2026-24713 - Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.

CVE-2026-24015 - A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0

CVE-2026-24308 - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all pla

CVE-2026-24281 - Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN

CVE-2026-27446 - Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache Activ

CVE-2025-66168 - WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releas

CVE-2025-59060 - Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apa

CVE-2025-59059 - Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versi

CVE-2025-40932 - Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX genera

CVE-2026-27636 - FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version

CVE-2026-23984 - An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated us

CVE-2026-23983 - A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to re

CVE-2026-23982 - An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user

CVE-2026-23980 - Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in

CVE-2026-23969 - Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execut

CVE-2026-25747 - Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelD

CVE-2026-23552 - Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.  The

CVE-2026-27161 - GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files

CVE-2026-27134 - Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployme

CVE-2026-27133 - Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployme

CVE-2026-24734 - Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP

CVE-2026-24733 - Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests t

CVE-2025-66614 - Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 1

CVE-2026-25087 - Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 t

CVE-2026-25903 - Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on

CVE-2025-33042 - Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when

CVE-2026-26214 - Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname

CVE-2026-25999 - Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there

CVE-2026-24343 - Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache

CVE-2026-23906 - Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all ve

CVE-2026-23901 - Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from

CVE-2026-24098 - Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with per

CVE-2026-22922 - Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenti

CVE-2026-23903 - Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Sh

CVE-2026-24735 - Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. T

CVE-2026-23795 - Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An ad

CVE-2026-23794 - Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into

CVE-2020-36939 - Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attacke

CVE-2026-24807 - Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-

CVE-2026-24806 - Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plu

CVE-2026-1464 - Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apac

CVE-2016-15057 - ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Comm

CVE-2026-24656 - Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket

CVE-2025-27821 - Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Ha

CVE-2026-22444 - The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some AP

CVE-2026-22022 - Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin

CVE-2025-59355 - A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 de

CVE-2025-29847 - A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using

CVE-2025-68675 - In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection

CVE-2025-68438 - In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_te

CVE-2025-60021 - Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all version

CVE-2026-22265 - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.