Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,474
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 10,661 - 10,680 of 40,240 CVEs
CVE-2026-49361 HIGH - 7.5

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting i...

Vendor: Apache Software Foundation
Product: Apache Fluss (incubating)
Published: Jun 01, 2026
Source: NVD
CVE-2026-49298 HIGH - 8.8

A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g....

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-49270 MEDIUM - 5.9

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durabl...

Vendor: Apache Software Foundation
Product: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All
Published: Jun 01, 2026
Source: NVD
CVE-2026-49267 MEDIUM - 5.9

Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the conf...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-49157 HIGH - 8.8

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker ma...

Vendor: Apache Software Foundation
Product: Apache ActiveMQ
Published: Jun 01, 2026
Source: NVD
CVE-2026-48827 HIGH - 7.1

Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. Applications are affected if t...

Vendor: Apache Software Foundation
Product: Apache MINA SSHD
Published: Jun 01, 2026
Source: NVD
CVE-2026-48726 MEDIUM - 6.5

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-46764 MEDIUM - 4.3

The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with aud...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-46605 MEDIUM - 4.3

Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from...

Vendor: Apache Software Foundation
Product: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ
Published: Jun 01, 2026
Source: NVD
CVE-2026-45505 HIGH - 8.8

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass validation al...

Vendor: Apache Software Foundation
Product: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ
Published: Jun 01, 2026
Source: NVD

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying th...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-45360 HIGH - 7.3

Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the schedu...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-44825 HIGH - 8.1

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifie...

Vendor: Apache Software Foundation
Product: Apache Solr
Published: Jun 01, 2026
Source: NVD
CVE-2026-42588 HIGH - 8.1

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access p...

Vendor: Apache Software Foundation
Product: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ
Published: Jun 01, 2026
Source: NVD
CVE-2026-42360 MEDIUM - 6.5

A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-42359 HIGH - 8.8

A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_K...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-42358 MEDIUM - 6.5

A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker ret...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-42253 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can al...

Vendor: Apache Software Foundation
Product: Apache ActiveMQ, Apache ActiveMQ Web
Published: Jun 01, 2026
Source: NVD
CVE-2026-42252 CRITICAL - 9.1

Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization warning. Dag auth...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD
CVE-2026-41084 HIGH - 7.5

A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authen...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jun 01, 2026
Source: NVD