CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31672 – Apache POI: parsing OOXML based files (xlsx, docx, etc.), poi-ooxml could read unexpected data if underlying zip has duplicate zip entry names
https://notcve.org/view.php?id=CVE-2025-31672
09 Apr 2025 — Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue aff... • https://bz.apache.org/bugzilla/show_bug.cgi?id=69620 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-30677 – Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka Connectors
https://notcve.org/view.php?id=CVE-2025-30677
09 Apr 2025 — Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access ... • https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30473 – Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection
https://notcve.org/view.php?id=CVE-2025-30473
07 Apr 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have. This issue affects Ap... • https://github.com/apache/airflow/pull/48098 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53868 – Apache Traffic Server: Malformed chunked message body allows request smuggling
https://notcve.org/view.php?id=CVE-2024-53868
03 Apr 2025 — Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue. • https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30676 – Apache OFBiz: Stored XSS Vulnerability
https://notcve.org/view.php?id=CVE-2025-30676
01 Apr 2025 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13219 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30177 – Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering
https://notcve.org/view.php?id=CVE-2025-30177
01 Apr 2025 — Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction. This allows... • https://camel.apache.org/security/CVE-2025-27636.html • CWE-164: Improper Neutralization of Internal Special Elements •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29868 – Apache Answer: Using externally referenced images can leak user privacy.
https://notcve.org/view.php?id=CVE-2025-29868
01 Apr 2025 — Private Data Structure Returned From A Public Method vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.2. If a user uses an externally referenced image, when a user accesses this image, the provider of the image may obtain private information about the ip address of that accessing user. Users are recommended to upgrade to version 1.4.5, which fixes the issue. In the new version, administrators can set whether external content can be displayed. Private Data Structure Returned From... • https://lists.apache.org/thread/l7pohw5g03g3qsvrz8pqc9t29mdv5lhf • CWE-495: Private Data Structure Returned From A Public Method •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 7CVE-2025-30065 – Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
https://notcve.org/view.php?id=CVE-2025-30065
01 Apr 2025 — Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. • https://packetstorm.news/files/id/190621 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27427 – Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission
https://notcve.org/view.php?id=CVE-2025-27427
01 Apr 2025 — A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually be rejected on the basis that the... • https://lists.apache.org/thread/8dzlm2vkqphyrnkrby8r8kzndsm5o6x8 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30067 – Apache Kylin: The remote code execution via jdbc url
https://notcve.org/view.php?id=CVE-2025-30067
27 Mar 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue. • https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc • CWE-94: Improper Control of Generation of Code ('Code Injection') •