PatchSiren cyber security CVE debrief
CVE-2026-42536 Apache CVE debrief
CVE-2026-42536 is a Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content. This issue affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
- Vendor
- Apache
- Product
- HTTP Server
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of Apache HTTP Server versions 2.4.0 through 2.4.67 should upgrade to version 2.4.68 to fix the vulnerability.
Technical summary
The vulnerability has a CVSS score of 7.5 and a severity of HIGH. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The weakness is classified as CWE-122.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Apache HTTP Server version 2.4.68 or later.
Evidence notes
The vulnerability was published on 2026-06-08T16:16:39.263Z and modified on 2026-06-09T15:55:19.853Z. The CVE record can be found at [cve-org]. The NVD detail can be found at [nvd].
Official resources
-
CVE-2026-42536 CVE record
CVE.org
-
CVE-2026-42536 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-42536 was disclosed on 2026-06-08.