CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54016 – compression bomb attack in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-54016
20 Mar 2025 — Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. • https://lists.apache.org/thread/grn0x8tmssx07qc9z50lwgmrkwzrrhzg • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47552 – Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-47552
20 Mar 2025 — Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue. • https://lists.apache.org/thread/652o82vzk9qrtgksk55cfgpbvdgtkch0 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27018 – Apache Airflow MySQL Provider: SQL injection in MySQL provider core function
https://notcve.org/view.php?id=CVE-2025-27018
19 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue. Vulner... • https://github.com/apache/airflow/pull/47254 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27017 – Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
https://notcve.org/view.php?id=CVE-2025-27017
12 Mar 2025 — Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records. • https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27867 – Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin
https://notcve.org/view.php?id=CVE-2025-27867
12 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0. Users are recommended to upgrade to version 1.2.2, which fixes the issue. • https://lists.apache.org/thread/y83f2rvm8bccr5ctgv7mzxd69p6f77dp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-29891 – Apache Camel: Camel Message Header Injection through request parameters
https://notcve.org/view.php?id=CVE-2025-29891
12 Mar 2025 — Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-ex... • https://camel.apache.org/security/CVE-2025-27636.html • CWE-164: Improper Neutralization of Internal Special Elements •
CVSS: 10.0EPSS: 92%CPEs: 3EXPL: 25CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability
https://notcve.org/view.php?id=CVE-2025-24813
10 Mar 2025 — Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (... • https://packetstorm.news/files/id/189826 • CWE-44: Path Equivalence: 'file.name' (Internal Dot) CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26865 – Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE
https://notcve.org/view.php?id=CVE-2025-26865
10 Mar 2025 — Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. • https://issues.apache.org/jira/browse/OFBIZ-12594 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.5EPSS: 40%CPEs: 3EXPL: 1CVE-2025-27636 – Apache Camel: Camel Message Header Injection via Improper Filtering
https://notcve.org/view.php?id=CVE-2025-27636
09 Mar 2025 — Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components * camel-servlet * ca... • https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC • CWE-178: Improper Handling of Case Sensitivity CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38311 – Apache Traffic Server: Request smuggling via pipelining after a chunked message body
https://notcve.org/view.php?id=CVE-2024-38311
06 Mar 2025 — Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-20: Improper Input Validation •