CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56736 – Apache HertzBeat: Server-Side Request Forgery (SSRF) in Api Config Oss
https://notcve.org/view.php?id=CVE-2024-56736
16 Apr 2025 — Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue. • https://lists.apache.org/thread/kdzg36h9yxp0q0n4lhcfppxntjy8rj1x • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24859 – Apache Roller: Insufficient Session Expiration on Password Change
https://notcve.org/view.php?id=CVE-2025-24859
14 Apr 2025 — A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to... • https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27391 – Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log
https://notcve.org/view.php?id=CVE-2025-27391
09 Apr 2025 — Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue. • https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31672 – Apache POI: parsing OOXML based files (xlsx, docx, etc.), poi-ooxml could read unexpected data if underlying zip has duplicate zip entry names
https://notcve.org/view.php?id=CVE-2025-31672
09 Apr 2025 — Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue aff... • https://bz.apache.org/bugzilla/show_bug.cgi?id=69620 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-30677 – Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka Connectors
https://notcve.org/view.php?id=CVE-2025-30677
09 Apr 2025 — Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access ... • https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30473 – Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection
https://notcve.org/view.php?id=CVE-2025-30473
07 Apr 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have. This issue affects Ap... • https://github.com/apache/airflow/pull/48098 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53868 – Apache Traffic Server: Malformed chunked message body allows request smuggling
https://notcve.org/view.php?id=CVE-2024-53868
03 Apr 2025 — Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue. • https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30676 – Apache OFBiz: Stored XSS Vulnerability
https://notcve.org/view.php?id=CVE-2025-30676
01 Apr 2025 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13219 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30177 – Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering
https://notcve.org/view.php?id=CVE-2025-30177
01 Apr 2025 — Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction. This allows... • https://camel.apache.org/security/CVE-2025-27636.html • CWE-164: Improper Neutralization of Internal Special Elements •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29868 – Apache Answer: Using externally referenced images can leak user privacy.
https://notcve.org/view.php?id=CVE-2025-29868
01 Apr 2025 — Private Data Structure Returned From A Public Method vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.2. If a user uses an externally referenced image, when a user accesses this image, the provider of the image may obtain private information about the ip address of that accessing user. Users are recommended to upgrade to version 1.4.5, which fixes the issue. In the new version, administrators can set whether external content can be displayed. Private Data Structure Returned From... • https://lists.apache.org/thread/l7pohw5g03g3qsvrz8pqc9t29mdv5lhf • CWE-495: Private Data Structure Returned From A Public Method •