CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 3CVE-2025-27533 – Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation
https://notcve.org/view.php?id=CVE-2025-27533
07 May 2025 — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 b... • https://packetstorm.news/files/id/191182 • CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46762 – Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata
https://notcve.org/view.php?id=CVE-2025-46762
06 May 2025 — Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to ... • https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp • CWE-73: External Control of File Name or Path •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-31651 – Apache Tomcat: Bypass of rules in Rewrite Valve
https://notcve.org/view.php?id=CVE-2025-31651
28 Apr 2025 — Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERS... • https://github.com/gregk4sec/CVE-2025-31651 • CWE-116: Improper Encoding or Escaping of Output CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 7CVE-2025-31650 – Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
https://notcve.org/view.php?id=CVE-2025-31650
28 Apr 2025 — Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fi... • https://packetstorm.news/files/id/200672 • CWE-20: Improper Input Validation CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27820 – Apache HttpComponents: PSL (Public Suffix List) validation bypass
https://notcve.org/view.php?id=CVE-2025-27820
24 Apr 2025 — A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release Un error en la lógica de validación de PSL en Apache HttpClient 5.4.x deshabilita las comprobaciones de dominio, lo que afecta la gestión de cookies y la verificación del nombre de host. Descubierto por el equipo de Apache HttpClient. Corregido en la versión 5.4.3. • https://github.com/apache/httpcomponents-client/pull/574 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26413 – Apache Kvrocks: The server was crashed by the negative offset
https://notcve.org/view.php?id=CVE-2025-26413
22 Apr 2025 — Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Kvrocks. • https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29953 – Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass
https://notcve.org/view.php?id=CVE-2025-29953
18 Apr 2025 — Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has depreca... • https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56736 – Apache HertzBeat: Server-Side Request Forgery (SSRF) in Api Config Oss
https://notcve.org/view.php?id=CVE-2024-56736
16 Apr 2025 — Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue. • https://lists.apache.org/thread/kdzg36h9yxp0q0n4lhcfppxntjy8rj1x • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24859 – Apache Roller: Insufficient Session Expiration on Password Change
https://notcve.org/view.php?id=CVE-2025-24859
14 Apr 2025 — A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to... • https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27391 – Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log
https://notcve.org/view.php?id=CVE-2025-27391
09 Apr 2025 — Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue. • https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps • CWE-532: Insertion of Sensitive Information into Log File •