CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30065 – Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
https://notcve.org/view.php?id=CVE-2025-30065
01 Apr 2025 — Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. • https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27427 – Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission
https://notcve.org/view.php?id=CVE-2025-27427
01 Apr 2025 — A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually be rejected on the basis that the... • https://lists.apache.org/thread/8dzlm2vkqphyrnkrby8r8kzndsm5o6x8 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30067 – Apache Kylin: The remote code execution via jdbc url
https://notcve.org/view.php?id=CVE-2025-30067
27 Mar 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue. • https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48944 – Apache Kylin: SSRF vulnerability in the diagnosis api
https://notcve.org/view.php?id=CVE-2024-48944
27 Mar 2025 — Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes... • https://lists.apache.org/thread/1xxxtdfh9hzqsqgb1pd9grb8hvqdyc9x • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53679 – Apache VCL: XSS vulnerability in User Lookup impacting user privileges
https://notcve.org/view.php?id=CVE-2024-53679
25 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights. This issue affects all versions of Apache VCL through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue. Vulnerabilidad de neutralización incorrecta de la entrada durante la... • https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53678 – Apache VCL: SQL injection vulnerability in New Block Allocation form
https://notcve.org/view.php?id=CVE-2024-53678
25 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. This issue affects all versions of Apache VCL from 2.2 through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue. • https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27553 – Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT
https://notcve.org/view.php?id=CVE-2025-27553
23 Mar 2025 — Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects ... • https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb • CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30474 – Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message
https://notcve.org/view.php?id=CVE-2025-30474
23 Mar 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache C... • https://issues.apache.org/jira/browse/VFS-169 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26796 – Apache Oozie: XSS in Oozie Web Console
https://notcve.org/view.php?id=CVE-2025-26796
22 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. This issue affects Apache Oozie: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input Duri... • https://lists.apache.org/thread/fzrmsslnrpl0vpp0jr73fosmfjv4omdq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27888 – Apache Druid: Server-Side Request Forgery and Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-27888
20 Mar 2025 — Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid versions. When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authe... • https://lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-918: Server-Side Request Forgery (SSRF) •