Known Vulnerabilities for products from Apache
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Apache".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-50645 json | There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF,... | Not Provided | 2026-06-12 | 2026-06-13 |
| CVE-2026-50634 json | A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was no... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50633 json | A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50632 json | A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CX... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50631 json | A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use se... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50630 json | A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50629 json | The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without... | Not Provided | 2026-06-12 | 2026-06-12 |
| CVE-2026-50628 json | A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing... | Not Provided | 2026-06-12 | 2026-06-15 |
| CVE-2026-50627 json | The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. ... | Not Provided | 2026-06-12 | 2026-06-15 |
| CVE-2026-50623 json | An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw... | Not Provided | 2026-06-12 | 2026-06-16 |
| CVE-2026-50223 json | Not Provided | 2026-06-10 | 2026-06-12 | |
| CVE-2026-50203 json | A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or comp... | Not Provided | 2026-06-17 | 2026-06-17 |
| CVE-2026-50076 json | Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM... | Not Provided | 2026-06-04 | 2026-06-08 |
| CVE-2026-49975 json | Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via mal... | Not Provided | 2026-06-08 | 2026-06-18 |
| CVE-2026-49875 json | Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP... | Not Provided | 2026-06-12 | 2026-06-15 |
| CVE-2026-49818 json | The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a contai... | Not Provided | 2026-06-09 | 2026-06-12 |
| CVE-2026-49361 json | Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum f... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-49328 json | Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-i... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-49298 json | A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API ... | Not Provided | 2026-06-01 | 2026-06-03 |
| CVE-2026-49270 json | Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ ... | Not Provided | 2026-06-01 | 2026-06-01 |
Known software with vulnerabilities from Apache
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Apache | Accumulo | 1.10.0 |
| Application | Apache | Activemq | - |
| Application | Apache | Activemq Apollo | 1.0 |
| Application | Apache | Activemq Artemis | - |
| Application | Apache | Airflow | 0.1 |
| Application | Apache | Allura | 1.0.0 |
| Application | Apache | Ambari | 0.9 |
| Application | Apache | Amqp 0-x Jms Client | 6.0.3 |
| Application | Apache | Amqp Jms Client | 0.9.0 |
| Application | Apache | Ant | 1.1 |
| Application | Apache | Apache-ssl | 1.37 |
| Application | Apache | Apache Test | - |
| Application | Apache | Apisix | 1.2 |
| Application | Apache | Apr-util | 0.9.1 |
| Application | Apache | Archiva | 0.9 |
| Application | Apache | Arrow | 0.1.0 |
| Application | Apache | Asterixdb | - |
| Application | Apache | Atlas | 0.5.0 |
| Application | Apache | Axis | - |
| Application | Apache | Axis2 | - |