announce

Messages by Thread

CVE-2026-40564: Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator Gyula Fora
[ANNOUNCE] Apache Tika 3.3.1 released Tim Allison
CVE-2026-48589: Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow Lenny Primak
CVE-2026-44598: Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials) Lenny Primak
CVE-2026-43828: Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default Lenny Primak
CVE-2026-43827: Apache Shiro: Session fixation: new session is not created after login by default Lenny Primak
[ANN] Apache Syncope 4.0.6 Francesco Chicchiriccò
[ANN] Apache Syncope 4.1.1 Francesco Chicchiriccò
CVE-2026-42797: Apache Syncope: JexlContextBuilder Information Disclosure Francesco Chicchiriccò
CVE-2026-42782: Apache Syncope: Post-auth RCE via Groovy static Francesco Chicchiriccò
[ANNOUNCE] Apache Doris 4.1.1 Mingyu Chen
CVE-2026-46745: Apache Airflow FAB provider: [ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223) Jens Scheffler
CVE-2026-45361: Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default) Jens Scheffler
[ANNOUNCE] Apache Airflow Providers prepared on 2026-05-19 are released Jens Scheffler
CVE-2026-45249: Apache ECharts: XSS in Lines series tooltip rendering Zhongxiang Wang
[ANNOUNCE] Apache Kafka 4.3.0 Mickael Maison
CVE-2026-44930: Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository Colm O hEigeartaigh
CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality Colm O hEigeartaigh
CVE-2026-44417: Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE) Colm O hEigeartaigh
[ANNOUNCE] Apache Teaclave™ TrustZone SDK 0.9.0 Released Zehui Chen
[ANNOUNCE] Apache Fory 1.0.0 released Shawn Yang
[ANNOUNCE] Apache Pulsar Client Python 3.12.0 released Yunze Xu
CVE-2026-48207: Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement Chaokun Yang
https://camel.apache.org/security/CVE-2026-45760.html: CVE-2026-45760: Apache Camel K: Camel K Cross-Namespace Build Deputy Attack Pasquale Congiusti
[ANNOUNCE] Apache Wicket 10.9.1 released Andrea Del Bene
[ANNOUNCE] Apache PDFBox JBIG2 ImageIO plugin 3.0.5 released Andreas Lehmkühler
[ANNOUNCE] Apache NetBeans 30 Released Eric Barboni
[ANNOUNCE] Apache Artemis 2.54.0 Released Justin Bertram
CVE-2026-42526: Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends Vincent Beck
CVE-2026-27173: Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments Vincent Beck
[ANNOUNCE] Apache CouchDB 3.5.2 released Jan Lehnardt
[ANNOUNCE] Apache OFBiz 24.09.06 released Jacopo Cappellato
[ANNOUNCE] Apache Storm 2.8.8 Released Rui Abreu
CVE-2026-47323: Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering Andrea Cosentino
CVE-2026-31909: Apache OFBiz: Unauthenticated Shipment Label Image Disclosure Jacopo Cappellato
CVE-2026-46586: Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution Jacopo Cappellato
CVE-2026-45434: Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE Jacopo Cappellato
CVE-2026-45187: Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs Jacopo Cappellato
CVE-2026-41919: Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN Construction Jacopo Cappellato
CVE-2026-35086: Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services Jacopo Cappellato
CVE-2026-31910: Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access Jacopo Cappellato
CVE-2026-31986: Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection Jacopo Cappellato
CVE-2026-31388: Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature Jacopo Cappellato
CVE-2026-31380: Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass Jacopo Cappellato
CVE-2026-31906: Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters Jacopo Cappellato
CVE-2026-31379: Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager Jacopo Cappellato
CVE-2026-31387: Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation Jacopo Cappellato
CVE-2026-31378: Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution Jacopo Cappellato
CVE-2026-29226: Apache OFBiz: Low-Privilege SSRF in Content Component Jacopo Cappellato
CVE-2026-29220: Apache OFBiz: Low-Privilege LFI in Content Component Jacopo Cappellato
CVE-2026-29207: Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component Jacopo Cappellato
[ANN] Apache Maven Enforcer Plugin 3.6.3 Released Tamás Cservenák
[ANN] Maven Resolver 2.0.18 released Tamás Cservenák
[ANN] Apache Maven 3.9.16 released Slawomir Jaranowski
[ANNOUNCE] Apache Flink 2.2.1 released Sergey Nuyanzin
[ANNOUNCE] Apache Wicket 8.18.0 released Andrea Del Bene
CVE-2026-35194: Apache Flink: Remote code execution via SQL injection in code generation Martijn Visser
CVE-2026-45205: Apache Commons Configuration: StackOverflowError for YAML input with cycles Gary D. Gregory
[ANNOUNCE] Apache Commons Configuration 2.15.0 Gary Gregory
[ANNOUNCE] Apache Wicket 9.23.0 released Andrea Del Bene
[SECURITY] CVE-2026-43515 Apache Tomcat - Security constraints not correctly applied Mark Thomas
[SECURITY] CVE-2026-43513 Apache Tomcat - LockOutRealm treats user names as case-sensitive Mark Thomas
[SECURITY] CVE-2026-43514 Apache Tomcat - AJP secret compared in non-constant time Mark Thomas
[SECURITY] CVE-2026-43512 Apache Tomcat - Digest authenticator will authenticate any unknown user Mark Thomas
[SECURITY] CVE-2026-42498 Apache Tomcat - WebSocket authentication header exposure Mark Thomas
[SECURITY] CVE-2026-41293 Apache Tomcat - HTTP/2 request headers not validated Mark Thomas
[SECURITY] CVE-2026-41284 Apache Tomcat - Unbounded read in WebDAV LOCK and PROPFIND handling Mark Thomas
[ANNOUNCE] Apache Burr 0.42.0-incubating released Elijah ben Izzy
[ANNOUNCE] Apache Parquet Java 1.17.1 Gang Wu
[ANNOUNCE] Apache Calcite Avatica 1.28.0 Released Francis Chuang
[ANN] Apache Tomcat 10.1.55 Available Christopher Schultz
[ANNOUNCE] Apache Airflow Providers prepared on 2026-05-05 are released Vincent Beck
[ANNOUNCE] Apache Tika 4.0.0-alpha-1 released Tim Allison
[ANN] Apache Tomcat 9.0.118 available Rémy Maucherat
CVE-2026-41018: Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL Shahar Epstein
CVE-2026-43826: Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL Shahar Epstein
[ANNOUNCE] Apache Grails Spring Security 8.0.0-M1 Mattias Reichel
[ADVISORY] Apache CloudStack LTS Security Releases 4.20.3.0 and 4.22.0.1 Daan Hoogland
[ANNOUNCE] Release Apache Paimon Rust 0.1.0 yuxia luo
[ANNOUNCE] Apache Grails 8.0.0-M1 James Fredley
[ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.3.1 released David Jensen
[ANNOUNCE] Apache Groovy 6.0.0-alpha-1 Released Paul King
[ANNOUNCE] Apache Groovy 4.0.32 Released Paul King
[ANNOUNCE] Apache Groovy 5.0.6 Released Paul King
[ANNOUNCE] Apache Ignite 2.18.0 Released zstan
[ANNOUNCE] SkyWalking Helm Chart 4.9.0 released han liu
[ANNOUNCE] Apache Wicket 10.9.0 released Andrea Del Bene
[ANNOUNCE] Apache Airflow CTL 0.1.4 from 0.1.4rc3 released Jarek Potiuk
CVE-2026-43975: Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager Pedro Henrique Oliveira dos Santos
CVE-2026-43646: Apache Wicket: crafted URLs can bypass PackageResourceGuard Pedro Henrique Oliveira dos Santos
CVE-2026-42509: Apache Wicket: crafted strings can break out of the JavaScript sequence Pedro Henrique Oliveira dos Santos
CVE-2026-40010: Apache Wicket: possible session fixation using AuthenticatedWebSession Pedro Henrique Oliveira dos Santos
CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() Eric Covener
[ANN] Apache Tomcat 11.0.22 Available Mark Thomas
[ANNOUNCE] Apache Commons Statistics 1.3 Released Alex Herbert
[ANNOUNCE] Apache TomEE 10.1.5 Markus Jung
[ANNOUNCE] Apache Atlas 2.5.0 released Madhan Neethiraj
CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response Eric Covener
CVE-2026-43869: Apache Thrift: TSSLTransportFactory.java hostname verification Jens Geyer
CVE-2026-43870: Apache Thrift: Node.js web_server.js multi-vulnerability Jens Geyer
CVE-2026-43868: Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern Jens Geyer
CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line Eric Covener
CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash Eric Covener
CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack Eric Covener
CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash Eric Covener
CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset Eric Covener
CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr Eric Covener
[ANNOUNCEMENT] Apache HTTP Server 2.4.67 Released covener
[ANNOUNCE] Grails Publish Gradle Plugin 1.0.0-M1 James Daugherty
[ANNOUNCE] Apache Grails 7.1.1 James Daugherty
[ANNOUNCE] Apache Pekko (Core) 1.6.0 released PJ Fanning
[ANNOUNCE] Apache Grails 7.0.11 James Daugherty
[ANNOUNCE] Apache Grails Spring Security 7.0.2 James Daugherty
[ANNOUNCE] Grails Publish Gradle Plugin 0.0.5 James Daugherty
[ANNOUNCE] Apache Grails GitHub Actions 1.0.2 James Daugherty
CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() Eric Covener
CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) Eric Covener
CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions Eric Covener
CVE-2026-40563: Apache Atlas: Script injection allows access to unintended data Pinal Shah
[ANNOUNCE] Apache Polaris 1.4.1 Jean-Baptiste Onofré
[ANNOUNCE] OpenNLP 2.5.9 released Richard Zowalla
[ANNOUNCE] OpenNLP 3.0.0-M3 released Richard Zowalla
CVE-2026-42812: Apache Polaris: No protection on `write.metadata.path` Jean-Baptiste Onofré
CVE-2026-42811: Apache Polaris: In plain terms, Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Jean-Baptiste Onofré
CVE-2026-42810: Apache Polaris: Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. Jean-Baptiste Onofré
CVE-2026-42809: Apache Polaris: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location Jean-Baptiste Onofré
CVE-2026-42440: Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader Richard Zowalla
CVE-2026-42027: Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader Richard Zowalla
CVE-2026-40682: Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor Richard Zowalla
CVE-2026-42404: Apache Neethi: Unrestricted HTTP Redirect Following in Policy References Colm O hEigeartaigh
CVE-2026-42402: Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS Colm O hEigeartaigh
[ANNOUNCE] Release Apache OpenDAL 0.56.0 Xuanwo
CVE-2026-42403: Apache Neethi: Circular Policy Reference Infinite Loop Colm O hEigeartaigh
Apache MINA 2.0.12 and 2.2.7 release Emmanuel Lecharny
[ANNOUNCE] Apache Pulsar Helm Chart version 4.6.0 Released Lari Hotari
Apache Beam 2.73.0 Released! Vitalii Terentev
[ANNOUNCE] Apache James MIME4J 0.8.14 released [email protected]
[ANNOUNCE] Apache Accumulo Access 1.0.0-beta3 Christopher
[ANNOUNCE] Apache KIE (Incubating) 10.2.0 released Alex Porcelli
Re: CVE-2026-41016: Apache Airflow SMTP Provider: No certificate validation on SMTP STARTTLS connections Shahar Epstein
Apache MINA 2.0.28, 2.0.11 and 2.2.6 release Emmanuel Lecharny
ANNOUNCE] Apache Jackrabbit Oak 1.22.24 released Julian Reschke
- [ANNOUNCE] Apache Jackrabbit Oak 1.22.24 released Julian Reschke
CVE-2026-41873: Pony Mail: Admin account takeover via request smuggling Arnout Engelen
[ANN] Apache Struts 6.9.0 Lukasz Lenart
CVE-2025-48431: Apache Thrift glibc language bindings: Specially crafted input can crash a c_glib Thrift server with invalid pointer error. Jens Geyer
CVE-2026-41602: Apache Thrift: Go TFramedTransport uint32 overflow Jens Geyer
CVE-2026-41603: Apache Thrift: Java TSSLTransportFactory hostname verification Jens Geyer
CVE-2026-41605: Apache Thrift: Swift Compact Protocol integer overflow Jens Geyer
CVE-2026-41604: Apache Thrift: Swift Range crash in skip() Jens Geyer
CVE-2026-41606: Apache Thrift: c_glib dispatch stack overflow Jens Geyer
CVE-2026-41607: Apache Thrift: C++ JSON OOB read Jens Geyer
CVE-2026-41636: Apache Thrift: Node.js skip() recursion Jens Geyer
[ANNOUNCE] Apache Pulsar 4.2.1 released Lari Hotari
[ANNOUNCE] Apache Pulsar 4.0.10 released Lari Hotari
[ANNOUNCE] Apache Pulsar 3.0.17 released Lari Hotari
[ANNOUNCE] Apache CloudStack LTS Release 4.20.3.0 Abhisar Sinha
[ANNOUNCE] Apache TsFile 2.3.0 released Haonan Hou
ZDRES-059: CVE-2026-41635: Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE Emmanuel Lécharny
CVE-2026-41409: Apache MINA: CWE-502 Deserialization of Untrusted Data Emmanuel Lécharny
CVE-2026-40858: Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository Andrea Cosentino
CVE-2026-40860: Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp Andrea Cosentino
CVE-2026-40473: Apache Camel: Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP Andrea Cosentino
CVE-2026-40453: Apache Camel: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection Andrea Cosentino
CVE-2026-40048: Apache Camel: Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager Andrea Cosentino
CVE-2026-40022: Apache Camel: Camel-Platform-HTTP-Main: Authentication Bypass on Non-Root Context Paths in camel main runtime Andrea Cosentino
CVE-2026-33454: Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant) Andrea Cosentino
CVE-2026-33453: Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution Andrea Cosentino
CVE-2026-27172: Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store Andrea Cosentino
[ANNOUNCE] Apache Commons Codec 1.22.0 Gary Gregory
[ANNOUNCE] Apache Camel 4.20.0 Released Gregor Zurowski
[ANNOUNCE] Apache Storm 2.8.7 Released Rui Abreu
CVE-2026-41081: Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure Richard Zowalla
CVE-2026-40557: Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections Richard Zowalla
[ANNOUNCE] Apache Camel 4.14.7 (LTS) Released Gregor Zurowski
CVE-2026-40690: Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users Rahul Vats
CVE-2026-38743: Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities Rahul Vats
CVE-2025-62233: Apache DolphinScheduler: Deserialization of untrusted data in RPC Wenjun Ruan
CVE-2026-23902: Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution. Wenjun Ruan
[ANNOUNCE] Apache Sedona 1.9.0 released Jia Yu
[ANNOUNCE] Apache ActiveMQ 6.2.5 has been released! Jean-Baptiste Onofré
[ANNOUNCE] Apache ActiveMQ 5.19.6 has been released! Jean-Baptiste Onofré
CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia Christopher L. Shannon
CVE-2026-41043: Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues Christopher L. Shannon
CVE-2026-40466: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI Christopher L. Shannon
[ANNOUNCE] Apache Commons IO 2.22.0 Gary Gregory
[ANNOUNCE] Apache Camel 4.18.2 (LTS) Released Gregor Zurowski
[ANNOUNCE] Apache Airflow 3.2.1 Released Rahul Vats
[ANNOUNCE] Apache Arrow 24.0.0 released Raúl Cumplido
[ANNOUNCE] Apache Jackrabbit Oak 2.0.0 released Julian Reschke
[ANNOUNCE] Apache Commons Numbers Version 1.3 Released Alex Herbert
[ANNOUNCE] Apache Fory 0.17.0 released Shawn Yang
[ANNOUNCE] Apache log4net 3.3.1 released Jan Friedrich
[ANNOUNCE] Apache Camel 4.14.6 (LTS) Released Gregor Zurowski
CVE-2026-40948: Apache Airflow Keycloak Provider: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager Jarek Potiuk
CVE-2026-25917: Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) Rahul Vats
CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to Rahul Vats
CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf Rahul Vats
CVE-2026-32690: Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 Rahul Vats
[ANN] Apache Maven 3.9.15 released Slawomir Jaranowski

Earlier messages