CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26865 – Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE
https://notcve.org/view.php?id=CVE-2025-26865
10 Mar 2025 — Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. • https://issues.apache.org/jira/browse/OFBIZ-12594 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.5EPSS: 16%CPEs: 3EXPL: 1CVE-2025-27636 – Apache Camel: Camel Message Header Injection via Improper Filtering
https://notcve.org/view.php?id=CVE-2025-27636
09 Mar 2025 — Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components * camel-servlet * ca... • https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC • CWE-178: Improper Handling of Case Sensitivity CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38311 – Apache Traffic Server: Request smuggling via pipelining after a chunked message body
https://notcve.org/view.php?id=CVE-2024-38311
06 Mar 2025 — Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56195 – Apache Traffic Server: Intercept plugins are not access controlled
https://notcve.org/view.php?id=CVE-2024-56195
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56196 – Apache Traffic Server: ACL is not fully compatible with older versions
https://notcve.org/view.php?id=CVE-2024-56196
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 10.0.4, which fixes the issue. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56202 – Apache Traffic Server: Expect header field can unreasonably retain resource
https://notcve.org/view.php?id=CVE-2024-56202
06 Mar 2025 — Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-440: Expected Behavior Violation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55532 – Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
https://notcve.org/view.php?id=CVE-2024-55532
03 Mar 2025 — Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue. Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue. • https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24778 – Apache StreamPipes: Resources Permission Escalation
https://notcve.org/view.php?id=CVE-2024-24778
03 Mar 2025 — Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know. This issue affects Apache StreamPipes: through 0.95.1. Users are recommended to upgrade to version 0.97.0 which fixes the issue. • https://lists.apache.org/thread/j14w6wghlwwrgfgc6hoz9f94fwxtlgzh • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56325 – Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required
https://notcve.org/view.php?id=CVE-2024-56325
03 Mar 2025 — Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -... • https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56180 – Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
https://notcve.org/view.php?id=CVE-2024-56180
14 Feb 2025 — CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue. CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch witho... • https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd • CWE-502: Deserialization of Untrusted Data •