VIR Vulnerability Intelligence Relay

Search

Found 299 results in 87ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-49361 high 7.5 7.5 apache 3d ago Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap…
CVE-2026-49298 high 8.8 8.8 apache 3d ago A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in …
CVE-2026-49157 high 8.8 8.8 debian debian apache 3d ago Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-ad…
CVE-2026-48827 high 7.1 7.1 debian debian sles apache 3d ago Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to …
CVE-2026-45505 high 8.8 8.8 debian debian apache 3d ago Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrapp…
CVE-2026-45426 low 3.1 3.1 apache 3d ago Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against …
CVE-2026-45360 high 7.3 7.3 apache 3d ago Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialize…
CVE-2026-44825 high 8.1 8.1 FIX debian debian apache 3d ago Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access…
CVE-2026-42588 high 8.1 8.1 debian debian apache 3d ago Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes th…
CVE-2026-42359 high 8.8 8.8 apache 3d ago A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (…
CVE-2026-41084 high 7.5 7.5 apache 3d ago A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path whi…
CVE-2026-40963 low 3.1 3.1 apache 3d ago The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated U…
CVE-2026-40961 high 7.2 7.2 apache 3d ago A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-…
CVE-2026-35563 high 8.5 8.5 debian debian apache 3d ago It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certifica…
CVE-2026-42782 high 7.2 7.2 apache 10d ago Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted c…
CVE-2026-45361 high 8.1 8.1 apache 10d ago Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attac…
CVE-2026-44417 high 7.5 7.5 apache 13d ago The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted use…
CVE-2026-46586 high 8.8 8.8 apache 16d ago Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Ap…
CVE-2026-31910 high 7.5 7.5 apache 16d ago Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
CVE-2026-31909 high 7.5 7.5 apache 16d ago Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, whi…
CVE-2026-29226 high 7.3 7.3 apache 16d ago Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.0…
CVE-2026-35194 high 8.1 8.1 apache 20d ago Apache Flink: Remote code execution via SQL injection in code generation
CVE-2026-43514 low 3.7 3.7 FIX slesdebian debian apache 23d ago Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M…
CVE-2026-43513 high 7.5 7.5 FIX slesdebian debian apache 23d ago Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 …
CVE-2026-42498 high 7.3 7.3 FIX slesdebian debian apache 23d ago Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1…
CVE-2026-41284 high 7.5 7.5 FIX slesdebian debian apache 23d ago Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 t…
CVE-2026-39816 high 8.8 8.8 apache 27d ago Apache NiFi is missing the Restricted annotation with the Execute Code Required Permission
CVE-2026-25077 high 8.8 8.8 apache 27d ago Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an…
CVE-2025-66467 high 8.1 8.1 apache 27d ago Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, th…
CVE-2025-66172 high 8.1 8.1 apache 27d ago The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is e…
CVE-2026-43646 high 7.5 7.5 apache 29d ago Apache Wicket has an Exposure of Sensitive Information to an Unauthorized Actor vulnerability
CVE-2026-29168 high 7.3 7.3 FIX debian debian sleswindows windows apache 1mo ago Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users a…
CVE-2026-43870 high 7.3 7.3 FIX debian debianwindows windows apache 1mo ago Apache Thrift vulnerable to Path Traversal, HTTP Request/Response Splitting, Uncontrolled Resource Consumption
CVE-2026-43869 high 7.3 7.3 FIX debian debianwindows windows apache 1mo ago Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability
CVE-2026-42440 high 7.5 7.5 FIX debian debian apache 1mo ago Apache OpenNLP AbstractModelReader has an OOM Denial of Service via Unbounded Array Allocation
CVE-2026-40563 high 8.1 8.1 apache 1mo ago Apache Atlas has a Code Injection Vulnerability
CVE-2026-29169 high 7.5 7.5 FIX debian debian sleswindows windows apache 1mo ago A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav o…
CVE-2026-23918 high 8.8 9.8 EXPFIX debian debian sleswindows windows apache 1mo ago Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which f…
CVE-2026-34059 high 7.5 7.5 FIX debian debian rhel sles apache 1mo ago Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-24072 high 8.8 8.8 FIX debian debian sleswindows windows apache 1mo ago An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgra…
CVE-2026-42404 high 7.2 7.2 apache 1mo ago Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API
CVE-2026-42403 high 7.5 7.5 apache 1mo ago Apache Neethi does not properly detect circular references in policy definitions.
CVE-2026-42402 high 7.5 7.5 apache 1mo ago Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization
CVE-2026-41636 high 7.5 7.5 FIX slesdebian debian apache 1mo ago Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion
CVE-2026-41605 high 7.3 7.3 FIX slesdebian debian apache 1mo ago Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
CVE-2026-41604 high 8.2 8.2 FIX slesdebian debian apache 1mo ago Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
CVE-2026-41603 high 7.4 7.4 FIX slesdebian debian apache 1mo ago Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixe…
CVE-2026-41602 high 7.5 7.5 FIX slesdebian debian apache 1mo ago Apache Thrift TFramedTransport Go language implementation has an Integer Overflow or Wraparound vulnerability
CVE-2025-48431 high 7.5 7.5 FIX debian debian apache 1mo ago Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, w…
CVE-2026-27172 high 8.8 8.8 apache 1mo ago Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data
CVE-2026-40858 high 8.8 8.8 apache 1mo ago Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data
CVE-2026-40022 high 8.2 8.2 apache 1mo ago Apache Camel Vulnerable to Authentication Bypass Using an Alternate Path or Channel
CVE-2026-40473 high 8.8 8.8 apache 1mo ago Camel-MINA Vulnerable to Deserialization of Untrusted Data
CVE-2026-40048 high 7.8 7.8 apache 1mo ago Camel-PQC Vulnerable to Deserialization of Untrusted Data
CVE-2026-40542 high 7.3 7.3 FIX debian debian sles apache 1mo ago Apache HttpClient accepts SCRAM-SHA-256 authentication without proper mutual authentication verification
CVE-2026-34479 high 7.5 7.5 FIX debian debian sles apache 2mo ago Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
CVE-2026-39304 high 7.5 7.5 debian debian apache 2mo ago Apache ActiveMQ: Denial of Service via Out of Memory vulnerability
CVE-2026-34486 high 7.5 7.5 FIX slesdebian debian apache 2mo ago Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.5…
CVE-2025-55752 high 7.5 7.5 FIX rocky rhel sles apache 6mo ago Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the po…
CVE-2025-48989 high 7.5 7.5 FIX rhel rocky sles apache 10mo ago Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0…
CVE-2023-44487 high 7.5 10.0 KEVEXPFIX rocky rheldebian debian siemensietfnghttp2 3y ago The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2022-34169 high 7.5 7.5 FIX debian debian rhel sles apacheoraclenetapp 4y ago RHSA-2022:5726: java-17-openjdk security, bug fix, and enhancement update (Important)
CVE-2022-23307 high 8.8 8.8 FIX debian debian sles rocky apacheqosoracle 4y ago RHSA-2022:0290: parfait:0.5 security update (Important)
CVE-2022-23302 high 8.8 8.8 FIX debian debian sles rocky apachenetappbroadcom 4y ago RHSA-2022:0290: parfait:0.5 security update (Important)
CVE-2021-4104 high 7.5 7.5 FIX debian debian sles rocky apacheredhatoracle 5y ago RHSA-2022:0290: parfait:0.5 security update (Important)
CVE-2017-12626 high 7.5 7.5 FIX debian debian apache 6y ago Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Me…
CVE-2020-9488 low 3.7 3.7 FIX debian debian sles oracleapacheqos 6y ago Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log mess…
CVE-2017-15700 high 8.8 8.8 apache 9y ago Apache Sling Authentication Service vulnerability
CVE-2017-5663 high 8.8 8.8 apache 9y ago In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT que…
CVE-2017-15701 high 7.5 7.5 apache 9y ago Apache Qpid Broker-J vulnerable to Denial of Service (DoS) via uncontrolled resource consumption
CVE-2017-12631 high 8.8 8.8 apache 9y ago Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3
CVE-2017-12608 high 7.8 7.8 FIX debian debian apache 9y ago A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1.4, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory…
CVE-2017-12607 high 7.8 7.8 FIX debian debian apache 9y ago A vulnerability in OpenOffice's PPT file parser before 4.1.4, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and appl…
CVE-2017-9806 high 7.8 7.8 FIX debian debian apache 9y ago A vulnerability in the OpenOffice Writer DOC file parser before 4.1.4, and specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory…
CVE-2016-6804 high 7.8 7.8 apache 9y ago The Apache OpenOffice installer (versions prior to 4.1.3, including some branded as OpenOffice.org) for Windows contains a defective operation that allows execution of arbitrary code with elevated pr…
CVE-2017-12636 high 7.2 8.2 EXPFIX arch arch sles apache 9y ago multiple issues in couchdb
CVE-2017-3166 high 7.8 7.8 apache 9y ago Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main
CVE-2016-6803 high 7.8 7.8 apache 9y ago An installer defect known as an "unquoted Windows search path vulnerability" affected the Apache OpenOffice before 4.1.3 installers for Windows. The PC must have previously been infected by a Trojan …
CVE-2014-0072 high 7.5 7.5 apache 9y ago ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9…
CVE-2014-0115 high 7.5 7.5 apache 9y ago Apache Storm log viewer path traversal vulnerability
CVE-2012-0881 high 7.5 7.5 debian debian apache 9y ago Denial of service in Apache Xerces2
CVE-2016-3090 high 8.8 8.8 apache 9y ago Apache Struts RCE Vulnerability
CVE-2015-0226 high 7.5 7.5 FIX debian debian apache 9y ago Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
CVE-2015-0224 high 7.5 7.5 apache 9y ago qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplet…
CVE-2014-3526 high 7.5 7.5 apache 9y ago Apache Wicket Sensitive Data Exposure
CVE-2013-4246 high 8.8 8.8 FIX debian debian apache 9y ago libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive i…
CVE-2016-5002 high 7.8 7.8 apache 9y ago Apache XML-RPC XXE Vulnerability
CVE-2017-12613 high 7.1 7.1 FIX debian debian slesarch arch apacheredhat 9y ago When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting t…
CVE-2010-2232 high 7.5 7.5 FIX debian debian apache 9y ago Improper Access Control in Apache Derby
CVE-2017-12628 high 7.8 7.8 apache 9y ago Apache James Privilege Escalation
CVE-2017-5635 high 7.5 7.5 apache 9y ago Improper Authentication In Apache NiFi
CVE-2016-4461 high 8.8 8.8 apachenetapp 9y ago Apache Struts forced double OGNL evaluation
CVE-2017-5637 high 7.5 8.5 EXPFIX debian debian apache 9y ago Uncontrolled Resource Consumption in Apache ZooKeeper
CVE-2016-6806 high 8.8 8.8 apache 9y ago Apache Wicket vulnerable to CSRF attacks
CVE-2016-4434 high 7.8 7.8 FIX debian debian apache 9y ago Apache Tika does not properly initialize the XML parser or choose handlers
CVE-2017-9790 high 7.5 7.5 apache 9y ago Use after free in Apache Mesos
CVE-2017-7687 high 7.5 7.5 apache 9y ago Denial of service in Apache Mesos
CVE-2017-9804 high 7.5 7.5 apache 9y ago Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used
CVE-2017-9793 high 7.5 7.5 apache 9y ago The REST Plugin in Apache Struts is using an outdated XStream library
CVE-2017-12616 high 7.5 7.5 sles apache 9y ago Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat