CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27696 – Apache Superset: Improper authorization leading to resource ownership takeover
https://notcve.org/view.php?id=CVE-2025-27696
13 May 2025 — Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue. • https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413 • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46392 – Apache Commons Configuration: Uncontrolled Resource Consumption when loading untrusted configurations in 1.x
https://notcve.org/view.php?id=CVE-2025-46392
09 May 2025 — Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations. Users that load untrusted configurations or give att... • https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 3CVE-2025-27533 – Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation
https://notcve.org/view.php?id=CVE-2025-27533
07 May 2025 — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 b... • https://packetstorm.news/files/id/191182 • CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46762 – Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata
https://notcve.org/view.php?id=CVE-2025-46762
06 May 2025 — Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to ... • https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp • CWE-73: External Control of File Name or Path •
CVSS: 7.8EPSS: 0%CPEs: 28EXPL: 0CVE-2025-3891 – Mod_auth_openidc: dos via empty post in mod_auth_openidc with oidcpreservepost enabled
https://notcve.org/view.php?id=CVE-2025-3891
29 Apr 2025 — A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability. An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise ... • https://access.redhat.com/security/cve/CVE-2025-3891 • CWE-248: Uncaught Exception •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-31651 – Apache Tomcat: Bypass of rules in Rewrite Valve
https://notcve.org/view.php?id=CVE-2025-31651
28 Apr 2025 — Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERS... • https://github.com/gregk4sec/CVE-2025-31651 • CWE-116: Improper Encoding or Escaping of Output CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 7CVE-2025-31650 – Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
https://notcve.org/view.php?id=CVE-2025-31650
28 Apr 2025 — Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fi... • https://packetstorm.news/files/id/200672 • CWE-20: Improper Input Validation CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27820 – Apache HttpComponents: PSL (Public Suffix List) validation bypass
https://notcve.org/view.php?id=CVE-2025-27820
24 Apr 2025 — A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release Un error en la lógica de validación de PSL en Apache HttpClient 5.4.x deshabilita las comprobaciones de dominio, lo que afecta la gestión de cookies y la verificación del nombre de host. Descubierto por el equipo de Apache HttpClient. Corregido en la versión 5.4.3. • https://github.com/apache/httpcomponents-client/pull/574 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26413 – Apache Kvrocks: The server was crashed by the negative offset
https://notcve.org/view.php?id=CVE-2025-26413
22 Apr 2025 — Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Kvrocks. • https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29953 – Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass
https://notcve.org/view.php?id=CVE-2025-29953
18 Apr 2025 — Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has depreca... • https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx • CWE-502: Deserialization of Untrusted Data •