apache security advisories
60 threat alerts tracking vulnerabilities and security advisories that affect apache products.
Vulnios monitors apache CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent apache security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2026-42027 — apache — opennlp
Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Cl
criticalCVE-2026-42027Critical Vulnerability: CVE-2026-40682 — apache — opennlp
XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor c
criticalCVE-2026-40682Critical Vulnerability: CVE-2026-42779 — apache — mina
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one
criticalCVE-2026-42779Critical Vulnerability: CVE-2026-42778 — apache — mina
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was inco
criticalCVE-2026-42778Critical Vulnerability: CVE-2026-41873 — apache — pony_mail
** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all v
criticalCVE-2026-41873Critical Vulnerability: CVE-2026-40860 — apache — camel
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() w
criticalCVE-2026-40860Critical Vulnerability: CVE-2026-41409 — apache — mina
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in
criticalCVE-2026-41409Critical Vulnerability: CVE-2026-41635 — apache — mina
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing
criticalCVE-2026-41635Critical Vulnerability: CVE-2026-33454 — apache — camel
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOut
criticalCVE-2026-33454Critical Vulnerability: CVE-2026-40453 — apache — camel
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecu
criticalCVE-2026-40453Critical Vulnerability: CVE-2026-33453 — apache — camel
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message h
criticalCVE-2026-33453Critical Vulnerability: CVE-2010-2076 — apache — cxf
Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not p
criticalCVE-2010-2076Critical Vulnerability: CVE-2026-33557 — apache — kafka
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.D
criticalCVE-2026-33557Critical Vulnerability: CVE-2026-42810 — apache — polaris
Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unes
criticalCVE-2026-42810Critical Vulnerability: CVE-2026-42809 — apache — polaris
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary creden
criticalCVE-2026-42809Critical Vulnerability: CVE-2026-42811 — apache — polaris
In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across t
criticalCVE-2026-42811Critical Vulnerability: CVE-2026-42812 — apache — polaris
In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table p
criticalCVE-2026-42812Critical Vulnerability: CVE-2017-15702 — apache — qpid_broker-j
In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured with different authentication providers on different ports one of which is an HTTP port, then the broker can be tricked by a remo
criticalCVE-2017-15702Critical Vulnerability: CVE-2017-12635 — apache — couchdb
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys f
criticalCVE-2017-12635Critical Vulnerability: CVE-2017-12633 — apache — camel
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security f
criticalCVE-2017-12633Critical Vulnerability: CVE-2017-12634 — apache — camel
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security fl
criticalCVE-2017-12634Critical Vulnerability: CVE-2013-4366 — apache — httpclient
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors inv
criticalCVE-2013-4366Critical Vulnerability: CVE-2012-4449 — apache — hadoop
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-depend
criticalCVE-2012-4449Critical Vulnerability: CVE-2014-0073 — apache — cordova_in-app-browser, cordova
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through
criticalCVE-2014-0073Critical Vulnerability: CVE-2014-3579 — apache — activemq_apollo
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML m
criticalCVE-2014-3579Critical Vulnerability: CVE-2016-5003 — apache — ws-xmlrpc
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
criticalCVE-2016-5003Critical Vulnerability: CVE-2014-3600 — apache — activemq
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML message
criticalCVE-2014-3600Critical Vulnerability: CVE-2012-1622 — apache — ofbiz
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
criticalCVE-2012-1622Critical Vulnerability: CVE-2015-3249 — apache — traffic_server
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary c
criticalCVE-2015-3249Critical Vulnerability: CVE-2014-3624 — apache — traffic_server
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
criticalCVE-2014-3624Critical Vulnerability: CVE-2017-5636 — apache — nifi
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could i
criticalCVE-2017-5636Critical Vulnerability: CVE-2016-8736 — apache — openmeetings
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
criticalCVE-2016-8736Critical Vulnerability: CVE-2014-0030 — apache — roller
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
criticalCVE-2014-0030Critical Vulnerability: CVE-2017-12620 — apache — opennlp
When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from un
criticalCVE-2017-12620Critical Vulnerability: CVE-2017-12621 — apache — commons_jelly
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instan
criticalCVE-2017-12621Critical Vulnerability: CVE-2016-6795 — apache — struts
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on
criticalCVE-2016-6795Critical Vulnerability: CVE-2017-12611 — apache — struts
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
criticalCVE-2017-12611Critical Vulnerability: CVE-2015-5168 — apache — traffic_server
Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206.
criticalCVE-2015-5168Critical Vulnerability: CVE-2015-5206 — apache — traffic_server
Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168.
criticalCVE-2015-5206Critical Vulnerability: CVE-2016-3086 — apache — hadoop
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
criticalCVE-2016-3086Critical Vulnerability: CVE-2016-4460 — apache — pony_mail
Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication.
criticalCVE-2016-4460Critical Vulnerability: CVE-2017-9800 — apache — subversion
A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be gen
criticalCVE-2017-9800Critical Vulnerability: CVE-2012-0803 — apache — cxf
The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.
criticalCVE-2012-0803Critical Vulnerability: CVE-2016-6798 — apache — sling
In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which
criticalCVE-2016-6798Critical Vulnerability: CVE-2017-7673 — apache — openmeetings
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.
criticalCVE-2017-7673Critical Vulnerability: CVE-2017-7664 — apache — openmeetings
Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.
criticalCVE-2017-7664Critical Vulnerability: CVE-2016-6793 — apache — wicket
The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the per
criticalCVE-2016-6793Critical Vulnerability: CVE-2017-5640 — apache — impala
It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (b
criticalCVE-2017-5640Critical Vulnerability: CVE-2017-3169 — apache — http_server
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
criticalCVE-2017-3169Critical Vulnerability: CVE-2017-7679 — apache — http_server
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
criticalCVE-2017-7679Critical Vulnerability: CVE-2017-7676 — apache — ranger
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior.
criticalCVE-2017-7676Critical Vulnerability: CVE-2017-5648 — apache — tomcat
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the
criticalCVE-2017-5648Critical Vulnerability: CVE-2017-5651 — apache — tomcat
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, i
criticalCVE-2017-5651Critical Vulnerability: CVE-2016-6808 — apache — tomcat_jk_connector
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42.
criticalCVE-2016-6808Critical Vulnerability: CVE-2016-0779 — apache — tomee
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
criticalCVE-2016-0779Critical Vulnerability: CVE-2017-5642 — apache — ambari
During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs.
criticalCVE-2017-5642Critical Vulnerability: CVE-2016-6809 — apache — nutch, tika
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
criticalCVE-2016-6809Critical Vulnerability: CVE-2016-8749 — apache — camel
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
criticalCVE-2016-8749Critical Vulnerability: CVE-2016-6807 — apache — ambari
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations a
criticalCVE-2016-6807Critical Vulnerability: CVE-2014-3582 — apache — ambari
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster.
criticalCVE-2014-3582
Showing the 60 most recent. Older alerts are archived but still reachable via search and the main feed.
Track apache exposure across your environment
Vulnios automatically cross-references your asset inventory against new apache CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan