CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-54090 – Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64
https://notcve.org/view.php?id=CVE-2025-54090
23 Jul 2025 — A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. • https://httpd.apache.org/security/vulnerabilities_24.html • CWE-253: Incorrect Check of Function Return Value •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-50151 – Apache Jena: Configuration files uploaded by administrative users are not check properly
https://notcve.org/view.php?id=CVE-2025-50151
21 Jul 2025 — File access paths in configuration files uploaded by users with administrator access are not validated. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload. • https://lists.apache.org/thread/12gks5z40gh9bszn1xk8mz34gz586xss • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49656 – Apache Jena: Administrative users can create files outside the server directory space via the admin UI
https://notcve.org/view.php?id=CVE-2025-49656
21 Jul 2025 — Users with administrator access can create databases files outside the files area of the Fuseki server. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which fixes the issue. • https://lists.apache.org/thread/qmm21som8zct813vx6dfd1phnfro6mwq • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-48795 – Apache CXF: Denial of Service and sensitive data exposure in logs
https://notcve.org/view.php?id=CVE-2025-48795
15 Jul 2025 — Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files... • https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-53689 – Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
https://notcve.org/view.php?id=CVE-2025-53689
14 Jul 2025 — Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version. Vulnerabilidades Blind XXE en jackrabbit-spi-commons y jackrabbit-core en Apache Jackr... • https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41169 – Apache Zeppelin: raft directory listing and file read
https://notcve.org/view.php?id=CVE-2024-41169
12 Jul 2025 — The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter. The attacker can use the raft server protocol in an unauthenticated way. • https://github.com/apache/zeppelin/pull/4841 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48924 – Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs
https://notcve.org/view.php?id=CVE-2025-48924
11 Jul 2025 — Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. • https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1 • CWE-674: Uncontrolled Recursion •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-53506 – Apache Tomcat: DoS via excessive h2 streams at connection start
https://notcve.org/view.php?id=CVE-2025-53506
10 Jul 2025 — Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. • https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-52520 – Apache Tomcat: DoS via integer overflow in multipart file upload
https://notcve.org/view.php?id=CVE-2025-52520
10 Jul 2025 — For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. • https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52434 – Apache Tomcat: APR/Native Connector crash leading to DoS
https://notcve.org/view.php?id=CVE-2025-52434
10 Jul 2025 — Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue. • https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •