Known Vulnerabilities for products from Apache
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Apache".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-54665 json | Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alte... | Not Provided | 2026-06-22 | 2026-06-23 |
| CVE-2026-50645 json | There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF,... | Not Provided | 2026-06-12 | 2026-06-13 |
| CVE-2026-50634 json | A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was no... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50633 json | A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50632 json | A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CX... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50631 json | A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use se... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50630 json | A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50629 json | The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50628 json | A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing... | Not Provided | 2026-06-12 | 2026-06-15 |
| CVE-2026-50627 json | The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. ... | Not Provided | 2026-06-12 | 2026-06-15 |
| CVE-2026-50623 json | Not Provided | 2026-06-12 | 2026-06-16 | |
| CVE-2026-50223 json | Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated... | Not Provided | 2026-06-10 | 2026-06-12 |
| CVE-2026-50203 json | A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or comp... | Not Provided | 2026-06-17 | 2026-06-17 |
| CVE-2026-50076 json | Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM... | Not Provided | 2026-06-04 | 2026-06-08 |
| CVE-2026-49975 json | Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via mal... | Not Provided | 2026-06-08 | 2026-06-18 |
| CVE-2026-49875 json | Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP... | Not Provided | 2026-06-12 | 2026-06-15 |
| CVE-2026-49872 json | Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibl... | Not Provided | 2026-06-19 | 2026-06-23 |
| CVE-2026-49871 json | Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a r... | Not Provided | 2026-06-19 | 2026-06-23 |
| CVE-2026-49818 json | The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a contai... | Not Provided | 2026-06-09 | 2026-06-12 |
| CVE-2026-49361 json | Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum f... | Not Provided | 2026-06-01 | 2026-06-01 |
Known software with vulnerabilities from Apache
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Apache | Accumulo | 1.10.0 |
| Application | Apache | Activemq | - |
| Application | Apache | Activemq Apollo | 1.0 |
| Application | Apache | Activemq Artemis | - |
| Application | Apache | Airflow | 0.1 |
| Application | Apache | Allura | 1.0.0 |
| Application | Apache | Ambari | 0.9 |
| Application | Apache | Amqp 0-x Jms Client | 6.0.3 |
| Application | Apache | Amqp Jms Client | 0.9.0 |
| Application | Apache | Ant | 1.1 |
| Application | Apache | Apache-ssl | 1.37 |
| Application | Apache | Apache Test | - |
| Application | Apache | Apisix | 1.2 |
| Application | Apache | Apr-util | 0.9.1 |
| Application | Apache | Archiva | 0.9 |
| Application | Apache | Arrow | 0.1.0 |
| Application | Apache | Asterixdb | - |
| Application | Apache | Atlas | 0.5.0 |
| Application | Apache | Axis | - |
| Application | Apache | Axis2 | - |