Apache Vulnerabilities
Comprehensive security vulnerability database for Apache products
7
7
18
6
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2025-66249 | 6.3 | This vulnerability allows an attacker to access files outside of the intended directory on an Apache Livy server, potentially exposing sensitive data. It can only be exploited if the server is configured with a non-default setting for local directory access, so users should upgrade to version 0.9.0 to protect against this risk. | apachelivy | Exploit Available | 25 days agoMar 13, 2026 |
| CVE-2025-60012 | 6.3 | This vulnerability allows an attacker to access files they shouldn't be able to reach by sending specially crafted requests to Apache Livy's REST or JDBC interface. To exploit this, the attacker must already have access to these interfaces and be able to include specific Spark configuration values in their requests. | apachelivy | Exploit Available | 25 days agoMar 13, 2026 |
| CVE-2026-25604 | 5.4 | An attacker could gain unauthorized access to different AWS instances by reusing SAML authentication responses from other instances, potentially bypassing access controls. This vulnerability occurs because the system does not verify the origin of the SAML response against the actual instance URL, so it's crucial to upgrade to version 9.22.0 of the provider if you're using AWS Auth Manager. | apacheairflow providers amazon | Exploit Available | 29 days agoMar 9, 2026 |
| CVE-2025-59060 | 5.3 | This vulnerability allows an attacker to impersonate a trusted server by bypassing hostname verification in Apache Ranger, which could lead to unauthorized access to sensitive data. It affects versions 2.7.0 and earlier, so users should upgrade to version 2.8.0 to protect against this risk. | apacheranger | Exploit Available | about 1 month agoMar 3, 2026 |
| CVE-2026-23980 | 5.3 | This vulnerability allows an authenticated user with read access to manipulate SQL queries, potentially exposing sensitive data or causing errors in the database. It affects versions of Apache Superset prior to 6.0.0, so users should upgrade to this version to fix the issue. | apachesuperset | Exploit Available | about 1 month agoFeb 24, 2026 |
| CVE-2026-23969 | 5.3 | This vulnerability allows an attacker to execute potentially harmful SQL functions in Apache Superset when using the ClickHouse database, due to an incomplete list of restricted functions. To exploit this, the attacker needs access to SQL Lab or charts in a version of Superset prior to 4.1.2. | apachesuperset | Exploit Available | about 1 month agoFeb 24, 2026 |
| CVE-2025-27555 | 6.5 | Authenticated users with access to audit logs can view sensitive connection details that should remain hidden, as these values are stored unencrypted in the Airflow database. To mitigate this risk, users should upgrade to version 2.11.1 or later and manually remove any sensitive entries from the log. | apacheairflow | Exploit Available | about 1 month agoFeb 24, 2026 |
About Apache Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Apache products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.