CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27553 – Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT
https://notcve.org/view.php?id=CVE-2025-27553
23 Mar 2025 — Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects ... • https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb • CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30474 – Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message
https://notcve.org/view.php?id=CVE-2025-30474
23 Mar 2025 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache C... • https://issues.apache.org/jira/browse/VFS-169 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26796 – Apache Oozie: XSS in Oozie Web Console
https://notcve.org/view.php?id=CVE-2025-26796
22 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. This issue affects Apache Oozie: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input Duri... • https://lists.apache.org/thread/fzrmsslnrpl0vpp0jr73fosmfjv4omdq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27888 – Apache Druid: Server-Side Request Forgery and Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-27888
20 Mar 2025 — Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid versions. When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authe... • https://lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54016 – compression bomb attack in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-54016
20 Mar 2025 — Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. • https://lists.apache.org/thread/grn0x8tmssx07qc9z50lwgmrkwzrrhzg • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47552 – Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-47552
20 Mar 2025 — Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue. • https://lists.apache.org/thread/652o82vzk9qrtgksk55cfgpbvdgtkch0 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27018 – Apache Airflow MySQL Provider: SQL injection in MySQL provider core function
https://notcve.org/view.php?id=CVE-2025-27018
19 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue. Vulner... • https://github.com/apache/airflow/pull/47254 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27017 – Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
https://notcve.org/view.php?id=CVE-2025-27017
12 Mar 2025 — Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records. • https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27867 – Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin
https://notcve.org/view.php?id=CVE-2025-27867
12 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0. Users are recommended to upgrade to version 1.2.2, which fixes the issue. • https://lists.apache.org/thread/y83f2rvm8bccr5ctgv7mzxd69p6f77dp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29891 – Apache Camel: Camel Message Header Injection through request parameters
https://notcve.org/view.php?id=CVE-2025-29891
12 Mar 2025 — Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-ex... • https://camel.apache.org/security/CVE-2025-27636.html • CWE-164: Improper Neutralization of Internal Special Elements •