Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,278
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21 - 40 of 48 CVEs
CVE-2026-46590 HIGH - 8.8

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-46585 HIGH - 7.5

Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component. The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEA...

Vendor: Apache Software Foundation
Product: Apache Camel Lucene
Published: Jul 06, 2026
Source: NVD

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component. The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present...

Vendor: Apache Software Foundation
Product: Apache Camel Mail
Published: Jul 06, 2026
Source: NVD
CVE-2026-46457 HIGH - 7.5

Improper Input Validation vulnerability in Apache Camel NATS component. The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-46456 CRITICAL - 9.8

Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-46455 CRITICAL - 9.8

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak&#...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-46454 CRITICAL - 9.8

Improper Input Validation vulnerability in Apache Camel Cometd Component. The camel-cometd component maps inbound Bayeux (CometD) message headers into the Camel Exchange without applying a HeaderFilterStrategy. CometdBinding.populateExchangeFromMessage copies the entire ext.CamelHeaders map supplie...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-46453 MEDIUM - 5.3

Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client. The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasti...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-43867 CRITICAL - 9.8

Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads that metadata back from the...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-43866 HIGH - 7.3

Deserialization of Untrusted Data vulnerability in Apache Camel, Apache Camel JMS component. JmsBinding.extractBodyFromJms() in camel-jms - and the equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the ...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-43865 HIGH - 8.1

Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component. The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-42527 HIGH - 8.1

Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggr...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-40859 HIGH - 8.1

Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserialize...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-40047 CRITICAL - 9.1

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java....

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-45760 HIGH - 8.1

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the ...

Vendor: Apache Software Foundation
Product: Apache Camel K
Published: May 21, 2026
Source: NVD
CVE-2026-47323 CRITICAL - 9.8

Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only f...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: May 19, 2026
Source: NVD
CVE-2026-33453 CRITICAL - 10.0

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-s...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Apr 27, 2026
Source: NVD
CVE-2026-27172 MEDIUM - 6.3

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilt...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Apr 27, 2026
Source: NVD
CVE-2026-40858 HIGH - 8.8

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Apr 27, 2026
Source: NVD
CVE-2026-40022 HIGH - 8.2

When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationCon...

Vendor: Apache Software Foundation
Product: Apache Camel Platform HTTP Main
Published: Apr 27, 2026
Source: NVD