Messages by Date
-
2026/07/13
CVE-2026-59245: Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Vincent Beck
-
2026/07/13
CVE-2026-58065: Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Vincent Beck
-
2026/07/13
[ANNOUNCE] Apache Pulsar Helm Chart version 4.7.0 Released
Lari Hotari
-
2026/07/13
[ANN] ASF Maven 3.10.0-rc-1 released
Tamás Cservenák
-
2026/07/13
[ANN] Apache Struts IntelliJ IDEA Plugin 261.19027.1 released
Lukasz Lenart
-
2026/07/12
CVE-2026-49876: Apache Gravitino: Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs
Yu Qi
-
2026/07/12
CVE-2026-41041: Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints.
Jerry Shao
-
2026/07/11
[ANNOUNCE] Apache PDFBox 3.0.8 released
Andreas Lehmkühler
-
2026/07/10
CVE-2026-49844: Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Piotr Karwasz
-
2026/07/10
[ANNOUNCE] Apache Airflow Providers prepared on 2026-07-06 are released
Vincent Beck
-
2026/07/10
[ANN] Apache Tomcat 10.1.57 Available
Christopher Schultz
-
2026/07/10
[ANNOUNCE] Apache Polaris 1.6.0 has been released!
Jean-Baptiste Onofré
-
2026/07/09
CVE-2026-40454: Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Haonan Hou
-
2026/07/09
CVE-2026-40452: Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
Haonan Hou
-
2026/07/09
CVE-2026-40009: Apache IoTDB: Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor
Haonan Hou
-
2026/07/09
CVE-2026-40008: Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Haonan Hou
-
2026/07/09
CVE-2026-40008: Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Haonan Hou
-
2026/07/09
CVE-2026-40007: Apache IoTDB: Unauthenticated unbounded recursion in IoTDB AirGap receiver's E-language prefix parser causes per-connection StackOverflowError
Haonan Hou
-
2026/07/09
CVE-2026-40006: Apache IoTDB: Unauthenticated heap-exhaustion DoS via unbounded allocation in IoTDB AirGap pipe receiver
Haonan Hou
-
2026/07/09
CVE-2026-40005: Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Haonan Hou
-
2026/07/09
CVE-2026-28564: Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Haonan Hou
-
2026/07/09
[ANNOUNCE] Apache MINA SSHD 3.0.0-M5 released
Thomas Wolf
-
2026/07/09
[ANNOUNCE] Apache MINA SSHD 2.19.0 released
Thomas Wolf
-
2026/07/09
[ANNOUNCE] Apache IoTDB 2.0.10 released
Haonan Hou
-
2026/07/09
[ANNOUNCE] Apache Accumulo 2.1.5
Christopher
-
2026/07/08
CVE-2026-57111: Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin
Junkai Xue
-
2026/07/08
CVE-2026-41042: Apache Gravitino: Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter
Jerry Shao
-
2026/07/08
[ANN] Apache Tomcat 11.0.24 Available
Mark Thomas
-
2026/07/08
[ANN] Apache Tomcat 9.0.120 available
Rémy Maucherat
-
2026/07/07
[ANNOUNCE] Apache Daffodil 4.2.0 Released
Olabusayo Kilo
-
2026/07/07
[ANNOUNCE] Apache Daffodil 4.2.0 Released
Olabusayo Kilo
-
2026/07/07
[ANNOUNCE] Apache Airflow 3.3.0 Released
Rahul Vats
-
2026/07/07
CVE-2026-48892: Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Rahul Vats
-
2026/07/07
CVE-2026-48891: Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Rahul Vats
-
2026/07/07
CVE-2026-49296: Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
Rahul Vats
-
2026/07/07
CVE-2026-48828: Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Rahul Vats
-
2026/07/07
CVE-2026-49487: Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Rahul Vats
-
2026/07/07
CVE-2026-33264: Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Rahul Vats
-
2026/07/06
CVE-2026-43825: Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel
Richard Zowalla
-
2026/07/06
[ANNOUNCE] Apache Jackrabbit 2.23.5-beta released
Manfred Baedke
-
2026/07/06
[ANNOUNCE] Apache Pulsar 4.2.3 released
Lari Hotari
-
2026/07/06
[ANNOUNCE] Apache Pulsar 4.0.12 released
Lari Hotari
-
2026/07/06
[ANNOUNCE] Apache Geronimo XBean 4.31 released
Francois Papon
-
2026/07/06
[ANNOUNCE] Apache Log4j `2.25.5` released
Ramanathan Muthu
-
2026/07/06
[ANNOUNCE] Apache Pulsar Client Python 3.13.0 released
Yunze Xu
-
2026/07/06
CVE-2026-49042: Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters
Federico Mariani
-
2026/07/06
CVE-2026-46588: Apache Camel: CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Federico Mariani
-
2026/07/06
CVE-2026-46587: Apache Camel: Couchbase: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Federico Mariani
-
2026/07/06
CVE-2026-43867: Apache Camel: Camel-PQC: The AWS Secrets Manager key-lifecycle manager deserializes persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter
Andrea Cosentino
-
2026/07/06
CVE-2026-24014: Apache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write
Haonan Hou
-
2026/07/06
CVE-2026-43866: Apache Camel: Camel JMS - CVE-2026-40860 fix bypass via DefaultExchangeHolder
Andrea Cosentino
-
2026/07/06
CVE-2026-24013: Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC
Haonan Hou
-
2026/07/06
CVE-2026-24012: Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
Haonan Hou
-
2026/07/05
[ANNOUNCE] Apache Grails 8.0.0-M2
James Daugherty
-
2026/07/05
CVE-2026-40047: Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer
Andrea Cosentino
-
2026/07/05
CVE-2026-40859: Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled
Andrea Cosentino
-
2026/07/05
CVE-2026-42527: Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure
Andrea Cosentino
-
2026/07/05
CVE-2026-43865: Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution
Andrea Cosentino
-
2026/07/05
CVE-2026-46453: Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation
Andrea Cosentino
-
2026/07/05
CVE-2026-46454: Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers
Andrea Cosentino
-
2026/07/05
CVE-2026-46590: Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)
Andrea Cosentino
-
2026/07/05
CVE-2026-46455: Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted
Andrea Cosentino
-
2026/07/05
CVE-2026-46456: Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers
Andrea Cosentino
-
2026/07/05
CVE-2026-46457: Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers
Andrea Cosentino
-
2026/07/05
CVE-2026-46584: Apache Camel: Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal
Andrea Cosentino
-
2026/07/05
CVE-2026-46585: Apache Camel: Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query
Andrea Cosentino
-
2026/07/05
CVE-2026-46591: Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)
Andrea Cosentino
-
2026/07/05
CVE-2026-46592: Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation
Andrea Cosentino
-
2026/07/05
CVE-2026-46726: Apache Camel: Camel-Vertx-Websocket: The inbound consumer maps externally-supplied WebSocket query and path parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of
Andrea Cosentino
-
2026/07/05
CVE-2026-48203: Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to inject Solr query parameters (server-side request forgery) and document fields
Andrea Cosentino
-
2026/07/05
CVE-2026-48205: Apache Camel: Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal
Andrea Cosentino
-
2026/07/05
CVE-2026-48204: Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration
Andrea Cosentino
-
2026/07/05
CVE-2026-48206: Apache Camel: Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials
Andrea Cosentino
-
2026/07/05
CVE-2026-49086: Apache Camel: Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Su
Andrea Cosentino
-
2026/07/05
CVE-2026-49097: Apache Camel: Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users
Andrea Cosentino
-
2026/07/05
CVE-2026-49098: Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic
Andrea Cosentino
-
2026/07/05
CVE-2026-49099: Apache Camel: Camel-Salesforce: Non-Camel-prefixed Exchange header constants (sObjectQuery, sObjectSearch, apexUrl, ...) bypass the HTTP header filter, allowing an HTTP client to inject SOQL/SOSL queries, override the target SObject, and redirect Apex REST calls using t
Andrea Cosentino
-
2026/07/05
CVE-2026-53913: Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a
Andrea Cosentino
-
2026/07/05
CVE-2026-49365: Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Andrea Cosentino
-
2026/07/05
CVE-2026-55993: Apache Camel: Camel-Atmosphere-Websocket: The inbound consumer maps externally-supplied WebSocket query parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secr
Andrea Cosentino
-
2026/07/05
CVE-2026-55994: Apache Camel: Camel-Iggy: The inbound consumer maps externally-supplied Iggy message user-headers into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged
Andrea Cosentino
-
2026/07/05
CVE-2026-56139: Apache Camel: Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients - and the option was not honoured
Andrea Cosentino
-
2026/07/05
CVE-2026-56140: Apache Camel: Camel-AWS2-SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components; because camel-aws2-sns is producer-only (no consumer) there is no reachable inbound header-injection path, so this is a defense-in-
Andrea Cosentino
-
2026/07/05
[ANNOUNCE] Apache Camel 4.14.8 (LTS) Released
Gregor Zurowski
-
2026/07/04
[ANNOUNCE] Apache Airflow Providers prepared on 2026-07-01 are released
Shahar Epstein
-
2026/07/04
[ANNOUNCE] Apache Grails 7.1.3
James Fredley
-
2026/07/04
[ANNOUNCE] Apache Grails 7.2.0
James Fredley
-
2026/07/04
[ANNOUNCE] Apache Grails 7.0.13
James Fredley
-
2026/07/04
[ANNOUNCE] Apache Groovy 6.0.0-alpha-2 Released
Paul King
-
2026/07/04
[ANNOUNCE] Release Apache Groovy 5.0.7
Paul King
-
2026/07/03
CVE-2026-49297: Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)
Shahar Epstein
-
2026/07/03
[ANNOUNCE] Apache Airflow Providers prepared on 2026-06-26 are released
Shahar Epstein
-
2026/07/03
[ANNOUNCE] Apache Tika 4.0.0-beta-1 released
Tim Allison
-
2026/07/03
[ANN] Maven Resolver 2.0.20 Released
Tamás Cservenák
-
2026/07/03
[ANNOUNCE] Apache Camel 4.18.3 (LTS) Released
Gregor Zurowski
-
2026/07/02
[ANNOUNCE] Apache Commons JEXL 3.7.0
Gary Gregory
-
2026/07/02
CVE-2026-47898: Apache Lucene.Net: XXE vulnerability in Lucene.Net.Analysis.Common PatternParser
Paul Irwin
-
2026/07/02
CVE-2026-47897: Apache Lucene.Net: Arbitrary file write from malicious server to Lucene.Net.Replicator client
Paul Irwin
-
2026/07/02
CVE-2026-47896: Apache Lucene.Net: Unauthenticated arbitrary file read on the Lucene.Net.Replicator replication server
Paul Irwin
-
2026/07/02
[ANNOUNCE] Apache Log4j `2.26.1` released
Ramanathan Muthu
-
2026/07/02
[ANNOUNCE] Apache Camel 4.21.0 Released
Gregor Zurowski
-
2026/07/01
CVE-2026-54399: Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration
Oleg Kalnichevski
-
2026/07/01
CVE-2026-54428: Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK
Oleg Kalnichevski
-
2026/07/01
[ANNOUNCEMENT] HttpComponents Client 5.6.2 Released
Oleg Kalnichevski
-
2026/06/30
CVE-2025-53648: Apache Gravitino: SQL misconfiguration can access or truncate files
Jerry Shao
-
2026/06/30
[ANN] Apache Struts 7.2.1
Lukasz Lenart
-
2026/06/29
[ANNOUNCE] Apache ActiveMQ 6.2.7 has been releaseed!
Christopher Shannon
-
2026/06/29
[ANNOUNCE] Apache Allura 1.19.1 released
Dave Brondsema
-
2026/06/29
[ANNOUNCE] Apache Artemis 2.55.0 Released
Justin Bertram
-
2026/06/29
[ANNOUNCE] Apache Paimon 1.4.2 and PyPaimon 1.4.2 released
hope
-
2026/06/29
[SECURITY] CVE-2026-53434 Apache Tomcat - Invalid CRL configuration doesn't trigger failure for FFM Connector
Mark Thomas
-
2026/06/29
[SECURITY] CVE-2026-55957 Apache Tomcat - Authentication bypass with JNDIRealm and GSSAPI authenticated bind
Mark Thomas
-
2026/06/29
[SECURITY] CVE-2026-55956 Apache Tomcat - Security constraints for default servlet ignored method
Mark Thomas
-
2026/06/29
[SECURITY] CVE-2026-55955 Apache Tomcat - EncryptInterceptor not protected against replay attacks
Mark Thomas
-
2026/06/29
[SECURITY] CVE-2026-55276 Apache Tomcat - Logged effective web.xml is incomplete
Mark Thomas
-
2026/06/29
[SECURITY] CVE-2026-53404 Apache Tomcat - Bad ornext processing in RewriteValve
Mark Thomas
-
2026/06/29
[SECURITY] CVE-2026-50229 Apache Tomcat - XXS in number guess example
Mark Thomas
-
2026/06/29
CVE-2026-53917: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker: Unbounded memory allocation in OpenWire property unmarshalling
Christopher L. Shannon
-
2026/06/29
CVE-2026-54475: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover
Christopher L. Shannon
-
2026/06/29
CVE-2026-53916: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codec
Christopher L. Shannon
-
2026/06/29
CVE-2026-52760: Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console
Christopher L. Shannon
-
2026/06/29
CVE-2026-50750: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire DoS following fix for CVE-2026-49270
Christopher L. Shannon
-
2026/06/29
CVE-2026-50734: Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire memory-allocation DoS during wire format negotiation
Christopher L. Shannon
-
2026/06/29
CVE-2026-49877: Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console
Christopher L. Shannon
-
2026/06/29
CVE-2026-49432: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of service
Christopher L. Shannon
-
2026/06/29
CVE-2026-49434: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: LdapNetworkConnector instantiates denied transports and a remote-properties broker
Christopher L. Shannon
-
2026/06/28
[ANNOUNCE] Apache Commons JEXL 3.6.4
Gary Gregory
-
2026/06/28
[ANNOUNCE] Apache Pekko Persistence R2DBC 1.2.0 released
PJ Fanning
-
2026/06/27
[ANN] Apache Props Ant Library 1.0.0 Released
Stefan Bodewig
-
2026/06/27
[ANNOUNCE] Apache Lucene 10.5.0 released
Alan Woodward
-
2026/06/27
Apache MINA 2.1.15 and 2.0.31 released
Emmanuel Lecharny
-
2026/06/26
CVE-2026-57915: Apache Kerby: Kerberos Pre-Authentication Bypass
Colm O hEigeartaigh
-
2026/06/26
CVE-2026-57914: Apache Kerby: StackOverflow on parsing deeply nested ASN1 structures
Colm O hEigeartaigh
-
2026/06/26
[ANNOUNCE] Apache Pulsar Node.js client 1.18.0 released
Baodi Shi
-
2026/06/26
[ANNOUNCE] Apache log4net 3.3.2 released
Jan Friedrich
-
2026/06/25
CVE-2026-49486: Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)
Shahar Epstein
-
2026/06/25
[ANNOUNCE] Apache Kafka 4.3.1
Bill Bejeck
-
2026/06/25
[ANNOUNCEMENT] HttpComponents Core 5.5-beta2 released
Oleg Kalnichevski
-
2026/06/25
[ANNOUNCEMENT] HttpComponents Core 5.4.3 GA released
Oleg Kalnichevski
-
2026/06/24
CVE-2026-54226: Apache Kvrocks: RESTORE IntSet Integer Overflow Leads to Remote DoS
Hulk Lin
-
2026/06/24
CVE-2026-46752: Apache Kvrocks: Stack buffer overflow in Lua bit.tohex()
Hulk Lin
-
2026/06/24
CVE-2026-46751: Apache Kvrocks: Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.
Hulk Lin
-
2026/06/24
CVE-2026-45188: Apache Kvrocks: Replication Fullsync Path Traversal via Unvalidated Filename Handling
Hulk Lin
-
2026/06/24
CVE-2026-41566: Apache Kvrocks: Improper permission for the APPLYBATCH command
Hulk Lin
-
2026/06/24
CVE-2026-56130: Apache Shiro: Remember-me cookie isn't checked for expiry on the server
Lenny Primak
-
2026/06/24
CVE-2026-56091: Apache Shiro: Authentication bypass in Guice-Web integration
Lenny Primak
-
2026/06/24
[ANNOUNCE] Apache Pulsar 5.0.0-M1 released
Lari Hotari
-
2026/06/24
[ANNOUNCE] Apache Commons JEXL 3.6.3
Gary Gregory
-
2026/06/23
[ANNOUNCE] Apache Pekko Persistence JDBC 1.3.0 released
PJ Fanning
-
2026/06/23
[ANN] Apache Tomcat 9.0.119 available
Rémy Maucherat
-
2026/06/22
[ANN] Apache Tomcat 10.1.56 Available
Christopher Schultz
-
2026/06/22
[ANNOUNCE] Apache Airflow Providers prepared on 2026-06-16 are released
Shahar Epstein
-
2026/06/22
[ANNOUNCE] Apache Grails 7.0.12
James Daugherty
-
2026/06/22
[ANNOUNCE] Apache Grails 7.1.2
James Daugherty
-
2026/06/22
[ANN] Apache Tomcat 11.0.23 Available
Mark Thomas
-
2026/06/21
CVE-2025-66336: Apache Doris MCP Server: SQL injection leading the authentication bypass
Calvin Kirs
-
2026/06/20
CVE-2026-54665: Apache NiFi: Missing Validation for Proxy Host Headers
David Handermann
-
2026/06/20
CVE-2026-44914: Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents
David Handermann
-
2026/06/20
CVE-2026-44913: Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL
David Handermann
-
2026/06/20
CVE-2026-44911: Apache NiFi: Incorrect Authorization for Configuration Verification Requests
David Handermann
-
2026/06/19
CVE-2025-62198: Apache Atlas: Stored XSS in Create Entity page
Madhan Neethiraj
-
2026/06/19
[ANNOUNCE] Apache NiFi 2.10.0 Released
Pierre Villard
-
2026/06/19
[ANN] Apache AntUnit 1.5.0 Released
Stefan Bodewig
-
2026/06/19
Apache MINA 2.2.8, 2.1.14, 2.0.30 released
Emmanuel Lecharny
-
2026/06/19
[ANNOUNCE] Apache Pulsar Helm Chart version 4.6.1 Released
Lari Hotari
-
2026/06/19
CVE-2026-48895: Apache APISIX: Cas-auth Host header influence on CAS service URL
Abhishek Choudhary
-
2026/06/19
CVE-2026-49230: Apache APISIX: Authentication bypass in jwe-decrypt
Abhishek Choudhary
-
2026/06/19
CVE-2026-49231: Apache APISIX: Identity spoofing issue in APISIX opa plugin
Abhishek Choudhary
-
2026/06/19
CVE-2026-49871: Apache APISIX: cas-auth login CSRF / session injection issue
Abhishek Choudhary
-
2026/06/19
CVE-2026-49872: Apache APISIX: Improper authentication in cas-auth plugin
Abhishek Choudhary
-
2026/06/19
CVE-2026-47341: Apache APISIX: Session replay issue in hmac-auth
Abhishek Choudhary
-
2026/06/19
CVE-2026-47339: Apache APISIX: authz-casdoor incorrect session sharing
Abhishek Choudhary
-
2026/06/18
CVE-2026-44915: Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value
Abhishek Choudhary
-
2026/06/18
CVE-2026-44087: Apache APISIX: Openid-connect plugin Identity Header Spoofing
Abhishek Choudhary
-
2026/06/18
CVE-2026-44046: Apache APISIX: wolf-rbac plugin Identity Spoofing
Abhishek Choudhary
-
2026/06/18
CVE-2026-39999: Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Abhishek Choudhary
-
2026/06/18
CVE-2026-39998: Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Abhishek Choudhary
-
2026/06/17
[ANNOUNCE] Apache Commons Logging 1.4.0
Gary Gregory
-
2026/06/17
CVE-2026-49268: Apache Shiro: LDAP DN Injection in DefaultLdapRealm
Lenny Primak
-
2026/06/16
CVE-2026-41280: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
Wenjun Ruan
-
2026/06/16
CVE-2026-49050: Apache DolphinScheduler: General user can mint admin access tokens via /access-tokens
Wenjun Ruan
-
2026/06/16
CVE-2026-47340: Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.
Wenjun Ruan
-
2026/06/16
CVE-2026-42357: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
Wenjun Ruan
-
2026/06/16
CVE-2026-32967: Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Wenjun Ruan
-
2026/06/16
CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Wenjun Ruan
-
2026/06/16
[ANNOUNCE] Apache Fory 1.2.0 released
Shawn Yang
-
2026/06/16
[ANN] Apache TomEE 11.0.0-M1
Richard Zowalla
-
2026/06/16
CVE-2026-50203: Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry names
Jarek Potiuk
-
2026/06/15
[ANN] Apache Tomcat Native 1.3.8 released
Mark Thomas
-
2026/06/15
[ANN] Apache Tomcat Native 2.0.15 released
Mark Thomas
-
2026/06/15
[ANN] Maven Executor 1.0.0 released
Tamás Cservenák
-
2026/06/15
[ANNOUNCE] Apache Pulsar Go Client 0.20.0 released
Zike Yang
-
2026/06/15
[ANNOUNCE] Apache Pulsar Client C++ 4.2.0 released
Yunze Xu
-
2026/06/14
[ANNOUNCE] Apache Flink 1.20.5 released
Yunfeng Zhou
-
2026/06/14
[ANNOUNCE] Apache Flink 2.1.3 released
Yunfeng Zhou
-
2026/06/14
[ANNOUNCE] Apache Zeppelin 0.12.1 available
Jongyoul Lee
-
2026/06/12
[ANNOUNCE] Apache Airflow Providers prepared on 2026-06-08 are released
Jarek Potiuk
-
2026/06/12
[ANNOUNCEMENT] Commons Daemon 1.6.1 Released
Mark Thomas
-
2026/06/11
CVE-2026-50645: Apache CXF: No restriction on attachment headers per message
Colm O hEigeartaigh
-
2026/06/11
CVE-2026-50634: Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry
Colm O hEigeartaigh