CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30474 – Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message
https://notcve.org/view.php?id=CVE-2025-30474
23 Mar 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache C... • https://issues.apache.org/jira/browse/VFS-169 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26796 – Apache Oozie: XSS in Oozie Web Console
https://notcve.org/view.php?id=CVE-2025-26796
22 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. This issue affects Apache Oozie: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input Duri... • https://lists.apache.org/thread/fzrmsslnrpl0vpp0jr73fosmfjv4omdq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27888 – Apache Druid: Server-Side Request Forgery and Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-27888
20 Mar 2025 — Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid versions. When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authe... • https://lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54016 – compression bomb attack in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-54016
20 Mar 2025 — Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. • https://lists.apache.org/thread/grn0x8tmssx07qc9z50lwgmrkwzrrhzg • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47552 – Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-47552
20 Mar 2025 — Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue. • https://lists.apache.org/thread/652o82vzk9qrtgksk55cfgpbvdgtkch0 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27018 – Apache Airflow MySQL Provider: SQL injection in MySQL provider core function
https://notcve.org/view.php?id=CVE-2025-27018
19 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue. Vulner... • https://github.com/apache/airflow/pull/47254 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27017 – Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
https://notcve.org/view.php?id=CVE-2025-27017
12 Mar 2025 — Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records. • https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27867 – Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin
https://notcve.org/view.php?id=CVE-2025-27867
12 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0. Users are recommended to upgrade to version 1.2.2, which fixes the issue. • https://lists.apache.org/thread/y83f2rvm8bccr5ctgv7mzxd69p6f77dp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29891 – Apache Camel: Camel Message Header Injection through request parameters
https://notcve.org/view.php?id=CVE-2025-29891
12 Mar 2025 — Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-ex... • https://camel.apache.org/security/CVE-2025-27636.html • CWE-164: Improper Neutralization of Internal Special Elements •
CVSS: 10.0EPSS: 92%CPEs: 3EXPL: 22CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability
https://notcve.org/view.php?id=CVE-2025-24813
10 Mar 2025 — Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (... • https://packetstorm.news/files/id/189826 • CWE-44: Path Equivalence: 'file.name' (Internal Dot) CWE-502: Deserialization of Untrusted Data •