Apache Vulnerabilities
Comprehensive security vulnerability database for Apache products
7
7
18
6
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-24713 | 9.8 | This vulnerability allows an attacker to send malicious input to Apache IoTDB, potentially leading to unauthorized access or manipulation of data. It affects versions 1.0.0 to 1.3.6 and 2.0.0 to 2.0.6, so users should upgrade to the latest versions to protect against this risk. | apacheiotdb | Theoretical | 29 days agoMar 9, 2026 |
| CVE-2026-24015 | 9.8 | This vulnerability allows an attacker to gain unauthorized access to sensitive data within Apache IoTDB, potentially leading to data theft or manipulation. It affects versions 1.0.0 to 1.3.6 and 2.0.0 to 2.0.6, so users should upgrade to the latest versions to protect themselves. | apacheiotdb | Exploit Available | 29 days agoMar 9, 2026 |
| CVE-2025-59059 | 9.8 | This vulnerability allows an attacker to execute malicious code remotely on systems running Apache Ranger versions 2.7.0 or earlier. To exploit this, the attacker needs access to the Ranger service, which could happen if the service is exposed to the internet or accessible on an internal network. | apacheranger | Theoretical | about 1 month agoMar 3, 2026 |
| CVE-2026-23552 | 9.1 | This vulnerability allows an attacker to use a valid token from one Keycloak realm to gain unauthorized access to resources in a different realm, effectively bypassing security measures meant to keep these realms separate. It affects specific versions of Apache Camel and requires that the application is using the Keycloak component without proper issuer validation. | apachecamel | Exploit Available | about 1 month agoFeb 23, 2026 |
| CVE-2023-27524 | 9.8 | An attacker can gain unauthorized access to sensitive resources in Apache Superset if the default SECRET_KEY hasn't been changed, allowing them to manipulate session cookies. This vulnerability only affects installations that haven't followed the setup instructions to configure a unique SECRET_KEY. | apachesuperset | Exploit Available | almost 3 years agoApr 24, 2023 |
| CVE-2021-41773 | 9.8 | This vulnerability allows an attacker to access files outside of the intended directories on an Apache HTTP Server, potentially leading to remote code execution if certain scripts are enabled. This can happen if the server is misconfigured and does not properly restrict access to these files. | apachehttp server | Exploit Available | over 4 years agoOct 5, 2021 |
| CVE-2015-6420 | 9.8 | This vulnerability allows attackers to remotely execute any command on affected Cisco products by sending a specially crafted Java object. It primarily affects systems that use the Apache Commons Collections library and can be exploited if the attacker can send data to the vulnerable service. | apachecommons collections | Exploit Available | over 10 years agoDec 15, 2015 |
About Apache Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Apache products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.