CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-31651 – Apache Tomcat: Bypass of rules in Rewrite Valve
https://notcve.org/view.php?id=CVE-2025-31651
28 Apr 2025 — Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERS... • https://github.com/gregk4sec/CVE-2025-31651 • CWE-116: Improper Encoding or Escaping of Output CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 7CVE-2025-31650 – Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
https://notcve.org/view.php?id=CVE-2025-31650
28 Apr 2025 — Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fi... • https://packetstorm.news/files/id/200672 • CWE-20: Improper Input Validation CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27820 – Apache HttpComponents: PSL (Public Suffix List) validation bypass
https://notcve.org/view.php?id=CVE-2025-27820
24 Apr 2025 — A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release Un error en la lógica de validación de PSL en Apache HttpClient 5.4.x deshabilita las comprobaciones de dominio, lo que afecta la gestión de cookies y la verificación del nombre de host. Descubierto por el equipo de Apache HttpClient. Corregido en la versión 5.4.3. • https://github.com/apache/httpcomponents-client/pull/574 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26413 – Apache Kvrocks: The server was crashed by the negative offset
https://notcve.org/view.php?id=CVE-2025-26413
22 Apr 2025 — Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Kvrocks. • https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29953 – Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass
https://notcve.org/view.php?id=CVE-2025-29953
18 Apr 2025 — Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has depreca... • https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56736 – Apache HertzBeat: Server-Side Request Forgery (SSRF) in Api Config Oss
https://notcve.org/view.php?id=CVE-2024-56736
16 Apr 2025 — Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue. • https://lists.apache.org/thread/kdzg36h9yxp0q0n4lhcfppxntjy8rj1x • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24859 – Apache Roller: Insufficient Session Expiration on Password Change
https://notcve.org/view.php?id=CVE-2025-24859
14 Apr 2025 — A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to... • https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27391 – Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log
https://notcve.org/view.php?id=CVE-2025-27391
09 Apr 2025 — Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue. • https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31672 – Apache POI: parsing OOXML based files (xlsx, docx, etc.), poi-ooxml could read unexpected data if underlying zip has duplicate zip entry names
https://notcve.org/view.php?id=CVE-2025-31672
09 Apr 2025 — Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue aff... • https://bz.apache.org/bugzilla/show_bug.cgi?id=69620 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-30677 – Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka Connectors
https://notcve.org/view.php?id=CVE-2025-30677
09 Apr 2025 — Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access ... • https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d • CWE-532: Insertion of Sensitive Information into Log File •