CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35164 – Apache Guacamole: Improper input validation of console codes
https://notcve.org/view.php?id=CVE-2024-35164
02 Jul 2025 — The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue. The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate... • https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70 • CWE-129: Improper Validation of Array Index •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46647 – Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect
https://notcve.org/view.php?id=CVE-2025-46647
02 Jul 2025 — A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other is... • https://lists.apache.org/thread/yrpp2cd3o4qkxlrh421mq8gsrt0k4x0w • CWE-302: Authentication Bypass by Assumed-Immutable Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32897 – Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server
https://notcve.org/view.php?id=CVE-2025-32897
28 Jun 2025 — Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the versi... • https://www.cve.org/CVERecord?id=CVE-2024-47552 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-50213 – Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator
https://notcve.org/view.php?id=CVE-2025-50213
24 Jun 2025 — Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue. Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Ap... • https://github.com/apache/airflow/pull/51734 • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32896 – Apache SeaTunnel: Unauthenticated insecure access
https://notcve.org/view.php?id=CVE-2025-32896
19 Jun 2025 — # Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue. #... • https://github.com/apache/seatunnel/pull/9010 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-31698 – Apache Traffic Server: Client IP address from PROXY protocol is not used for ACL
https://notcve.org/view.php?id=CVE-2025-31698
19 Jun 2025 — ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue. • https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-49763 – Apache Traffic Server: Remote DoS via memory exhaustion in ESI Plugin
https://notcve.org/view.php?id=CVE-2025-49763
19 Jun 2025 — ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue. ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory cons... • https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2025-48976 – Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers
https://notcve.org/view.php?id=CVE-2025-48976
16 Jun 2025 — Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. This update for apache-commons-fileupload fixes the following issues: Upgrade to upstream version 1.6.0. Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS. • https://github.com/nankuo/CVE-2025-48976_CVE-2025-48988 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49124 – Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows
https://notcve.org/view.php?id=CVE-2025-49124
16 Jun 2025 — Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. • https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv • CWE-426: Untrusted Search Path •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2025-49125 – Apache Tomcat: Security constraint bypass for pre/post-resources
https://notcve.org/view.php?id=CVE-2025-49125
16 Jun 2025 — Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 th... • https://github.com/gregk4sec/CVE-2025-49125 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •