CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48944 – Apache Kylin: SSRF vulnerability in the diagnosis api
https://notcve.org/view.php?id=CVE-2024-48944
27 Mar 2025 — Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes... • https://lists.apache.org/thread/1xxxtdfh9hzqsqgb1pd9grb8hvqdyc9x • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53679 – Apache VCL: XSS vulnerability in User Lookup impacting user privileges
https://notcve.org/view.php?id=CVE-2024-53679
25 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights. This issue affects all versions of Apache VCL through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue. Vulnerabilidad de neutralización incorrecta de la entrada durante la... • https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53678 – Apache VCL: SQL injection vulnerability in New Block Allocation form
https://notcve.org/view.php?id=CVE-2024-53678
25 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. This issue affects all versions of Apache VCL from 2.2 through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue. • https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26796 – Apache Oozie: XSS in Oozie Web Console
https://notcve.org/view.php?id=CVE-2025-26796
22 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. This issue affects Apache Oozie: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input Duri... • https://lists.apache.org/thread/fzrmsslnrpl0vpp0jr73fosmfjv4omdq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27888 – Apache Druid: Server-Side Request Forgery and Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-27888
20 Mar 2025 — Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid versions. When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authe... • https://lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54016 – compression bomb attack in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-54016
20 Mar 2025 — Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. • https://lists.apache.org/thread/grn0x8tmssx07qc9z50lwgmrkwzrrhzg • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47552 – Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server
https://notcve.org/view.php?id=CVE-2024-47552
20 Mar 2025 — Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue. • https://lists.apache.org/thread/652o82vzk9qrtgksk55cfgpbvdgtkch0 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27018 – Apache Airflow MySQL Provider: SQL injection in MySQL provider core function
https://notcve.org/view.php?id=CVE-2025-27018
19 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue. Vulner... • https://github.com/apache/airflow/pull/47254 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27017 – Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
https://notcve.org/view.php?id=CVE-2025-27017
12 Mar 2025 — Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records. • https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27867 – Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin
https://notcve.org/view.php?id=CVE-2025-27867
12 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0. Users are recommended to upgrade to version 1.2.2, which fixes the issue. • https://lists.apache.org/thread/y83f2rvm8bccr5ctgv7mzxd69p6f77dp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •