VIR Vulnerability Intelligence Relay

Search

Found 129 results in 86ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-42252 critical 9.1 9.1 apache 3d ago Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] …
CVE-2026-44930 critical 9.8 9.8 apache 13d ago An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommende…
CVE-2026-48207 critical 9.8 9.8 apache 13d ago Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resol…
CVE-2026-45434 critical 9.8 9.8 apache 16d ago Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgr…
CVE-2026-41919 critical 9.1 9.1 apache 16d ago Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrad…
CVE-2026-31986 critical 9.1 9.1 apache 16d ago Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
CVE-2025-55754 critical 9.6 9.6 FIX rhel slesdebian debian apache 16d ago Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Win…
CVE-2026-43515 critical 9.1 9.1 FIX slesdebian debian apache 22d ago Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,…
CVE-2026-43512 critical 9.8 9.8 FIX slesdebian debian apache 22d ago DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, fr…
CVE-2026-41293 critical 9.8 9.8 FIX slesdebian debian apache 22d ago Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0…
CVE-2026-25199 critical 9.1 9.1 apache 27d ago Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxm…
CVE-2026-40010 critical 9.1 9.1 apache 29d ago Apache Wicket has a Session Fixation issue
CVE-2026-28780 critical 9.8 9.8 FIX debian debian rhel sles apache 29d ago Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy…
CVE-2026-42812 critical 9.9 9.9 apache 1mo ago Apache Polaris has an Improper Input Validation issue
CVE-2026-42811 critical 9.9 9.9 apache 1mo ago Apache Polaris has an Improper Input Validation issue
CVE-2026-42810 critical 9.9 9.9 apache 1mo ago Apache Polaris has an Improper Input Validation Issue
CVE-2026-42809 critical 9.9 9.9 apache 1mo ago Apache Polaris has an Improper Input Validation Issue
CVE-2026-42027 critical 9.8 9.8 FIX debian debian apache 1mo ago Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest
CVE-2026-40682 critical 9.1 9.1 FIX debian debian apache 1mo ago Apache OpenNLP DictionaryEntryPersistor Vulnerable to XML External Entity (XXE) via Unsanitized Dictionary Parsing
CVE-2026-42779 critical 9.8 9.8 apache 1mo ago Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
CVE-2026-42778 critical 9.8 9.8 apache 1mo ago Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)
CVE-2026-41873 critical 9.8 9.8 apache 1mo ago ** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all …
CVE-2026-33453 critical 10.0 10.0 apache 1mo ago Apache camel-coap allows header injection that can lead to remote code execution
CVE-2026-41409 critical 9.8 9.8 FIX debian debian apache 1mo ago Apache MINA Vulnerable to Deserialization of Untrusted Data (CVE-2024-52046 Incomplete Fix)
CVE-2026-33454 critical 9.4 9.4 apache 1mo ago Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
CVE-2026-41635 critical 9.8 9.8 debian debian apache 1mo ago Apache MINA vulnerable to Deserialization of Untrusted Data
CVE-2026-40860 critical 9.8 9.8 apache 1mo ago JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() …
CVE-2026-40453 critical 9.9 9.9 apache 1mo ago Apache Camel has an incomplete fix for CVE-2025-27636
CVE-2026-27446 critical 9.8 9.8 apache 3mo ago Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions
CVE-2022-45047 critical 9.8 9.8 FIX debian debian apache 4y ago Unsafe deserialization in Apache MINA SSHD
CVE-2022-23305 critical 9.8 9.8 FIX debian debian sles rocky apachenetappbroadcom 4y ago RHSA-2022:0290: parfait:0.5 security update (Important)
CVE-2019-17571 critical 9.8 9.8 FIX debian debian slesubuntu ubuntu apachenetapporacle 7y ago Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization ga…
CVE-2017-5641 critical 9.8 9.8 apachehp 9y ago Apache Flex BlazeDS unsafe deserialization
CVE-2017-15708 critical 9.8 9.8 apacheoracle 9y ago Remote Code Execution in Apache Synapse
CVE-2017-15702 critical 9.8 9.8 apache 9y ago Apache Qpid Broker vulnerable to authentication port spoofing
CVE-2017-12634 critical 9.8 9.8 apache 9y ago Camel-castor component in Apache Camel is vulnerable to Java object de-serialisation
CVE-2017-12633 critical 9.8 9.8 apache 9y ago Apache Camel camel-hessian component vulnerable to Java object deserialization
CVE-2017-12635 critical 9.8 10.0 EXPFIX slesarch arch apache 9y ago multiple issues in couchdb
CVE-2014-0073 critical 9.8 9.8 apache 9y ago The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 throug…
CVE-2013-4366 critical 9.8 9.8 FIX debian debian apache 9y ago Hostname verification in Apache HttpClient 4.3 was disabled by default
CVE-2012-4449 critical 9.8 9.8 apache 9y ago Use of a Broken or Risky Cryptographic Algorithm in Apache Hadoop
CVE-2015-3249 critical 9.8 9.8 FIX debian debian apache 9y ago The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary …
CVE-2014-3624 critical 9.8 9.8 FIX debian debian apache 9y ago Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
CVE-2014-3600 critical 9.8 9.8 FIX debian debian apache 9y ago Improper Restriction of XML External Entity Reference in Apache ActiveMQ
CVE-2014-3579 critical 9.8 9.8 apache 9y ago Apache ActiveMQ Apollo XXE Vulnerability
CVE-2016-5003 critical 9.8 9.8 apache 9y ago Apache XML-RPC vulnerable to Deserialization of Untrusted Data
CVE-2012-1622 critical 9.8 9.8 apache 9y ago Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2017-5636 critical 9.8 9.8 apache 9y ago Injection in Apache NiFi
CVE-2017-12629 critical 9.8 10.0 EXPFIX debian debianubuntu ubuntu rhel apacheredhat 9y ago Remote code execution occurs in Apache Solr
CVE-2016-8736 critical 9.8 9.8 apache 9y ago Apache OpenMeetings RCE
CVE-2014-0030 critical 9.8 10.0 EXP apache 9y ago The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
CVE-2017-12620 critical 9.8 9.8 apache 9y ago Improper Restriction of XML External Entity Reference in Apache OpenNLP
CVE-2017-12621 critical 9.8 9.8 apache 9y ago Improper Restriction of XML External Entity Reference in Jelly
CVE-2017-12611 critical 9.8 10.0 EXP apache 9y ago Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal
CVE-2016-6795 critical 9.8 9.8 apache 9y ago Path Traversal in Apache Struts
CVE-2015-5206 critical 9.8 9.8 FIX debian debian apache 9y ago Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168.
CVE-2015-5168 critical 9.8 9.8 FIX debian debian apache 9y ago Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206.
CVE-2016-3086 critical 9.8 9.8 apache 9y ago Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
CVE-2016-4460 critical 9.8 9.8 apache 9y ago Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication.
CVE-2017-9800 critical 9.8 9.8 FIX arch arch slesdebian debian apache 9y ago A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be ge…
CVE-2016-5018 critical 9.1 9.1 slesdebian debian rhel apachenetappredhat 9y ago Authentication Bypass Using an Alternate Path or Channel in Apache Tomcat
CVE-2012-0803 critical 9.8 9.8 apache 9y ago Improper Authentication in Apache CXF
CVE-2016-6798 critical 9.8 9.8 apache 9y ago XML External Entity Reference in Apache Sling
CVE-2017-7673 critical 9.8 9.8 apache 9y ago Apache OpenMeetings has Inadequate Encryption Strength
CVE-2017-7664 critical 10.0 10.0 apache 9y ago Apache OpenMeetings does not correctly validate uploaded XML documents
CVE-2016-6793 critical 9.1 9.1 apache 9y ago The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the pe…
CVE-2017-9788 critical 9.1 9.1 FIX debian debianarch arch sles apachenetappredhat 9y ago In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assi…
CVE-2017-5640 critical 9.8 9.8 apache 9y ago It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (…
CVE-2017-7679 critical 9.8 9.8 FIX debian debianarch arch sles apache 9y ago In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
CVE-2017-3169 critical 9.8 9.8 FIX debian debianarch arch sles apache 9y ago In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
CVE-2017-3167 critical 9.8 9.8 FIX debian debianarch arch sles apachenetappredhat 9y ago In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being…
CVE-2017-7676 critical 9.8 9.8 apache 9y ago Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '' wildcard character
CVE-2017-5645 critical 9.8 9.8 FIX debian debian sles rhel apachenetappredhat 9y ago Deserialization of Untrusted Data in Log4j
CVE-2017-5651 critical 9.8 9.8 FIX slesdebian debian apache 9y ago In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, …
CVE-2017-5648 critical 9.1 9.1 FIX slesdebian debian apache 9y ago While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use th…
CVE-2016-6808 critical 9.8 9.8 FIX debian debian apache 9y ago Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42.
CVE-2016-0779 critical 9.8 9.8 apache 9y ago The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2016-6809 critical 9.8 9.8 FIX debian debian apache 9y ago Apache Tika allows Java code execution for serialized objects embedded in MATLAB files
CVE-2017-5642 critical 9.8 9.8 apache 9y ago During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs.
CVE-2014-3582 critical 9.8 9.8 apache 9y ago In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster.
CVE-2016-6807 critical 9.8 9.8 apache 9y ago Apache Ambari Improper Access Control
CVE-2016-8749 critical 9.8 9.8 apache 9y ago Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
CVE-2017-3159 critical 9.8 9.8 apache 9y ago Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization
CVE-2015-3188 critical 9.8 9.8 apache 10y ago Apache Storm remote code execution vulnerability
CVE-2016-1000031 critical 9.8 9.8 slesdebian debian apache 10y ago Improper Access Control in commons-fileupload
CVE-2015-1832 critical 9.1 9.1 FIX debian debian apache 10y ago Improper Restriction of XML External Entity Reference in Apace Derby
CVE-2016-5019 critical 9.8 9.8 apache 10y ago Apache MyFaces Trinidad Deserialization Vulnerability
CVE-2016-4436 critical 9.8 9.8 apache 10y ago Apache Struts improper action name cleanup
CVE-2016-4464 critical 9.8 9.8 apache 10y ago High severity vulnerability that affects org.apache.cxf.fediz:fediz-spring and org.apache.cxf.fediz:fediz-spring2
CVE-2016-4438 critical 9.8 9.8 sles apache 10y ago Arbitrary code execution in Apache Struts 2
CVE-2016-3087 critical 9.8 10.0 EXP apache 10y ago Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
CVE-2016-4432 critical 9.1 9.1 apache 10y ago AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication
CVE-2016-2099 critical 9.8 9.8 FIX suse susedebian debian apache 10y ago Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML d…
CVE-2016-3082 critical 9.8 9.8 apache 10y ago Remote Code Execution in Apache Struts
CVE-2016-2170 critical 9.8 9.8 apache 10y ago Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections l…
CVE-2016-0733 critical 9.8 9.8 apache 10y ago The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password
CVE-2015-3252 critical 9.8 9.8 apache 11y ago Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by connecting to the VNC server.
CVE-2015-5344 critical 9.8 9.8 apache 11y ago Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands
CVE-2015-5254 critical 9.8 9.8 FIX debian debianfedora fedora redhatapache 11y ago Improper Input Validation in Apache ActiveMQ
CVE-2015-3253 critical 9.8 9.8 FIX debian debian apacheoracle 11y ago Improper Neutralization of Special Elements in Output Used by a Downstream Component in Apache Groovy