These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-49268 is a high-severity vulnerability in Apache Shiro that allows remote attackers to inject LDAP special characters, potentially bypassing authentication or impersonating users. The issue affects all Apache Shiro versions up to 2.2.0 and 3.0.0-alpha-1 when using DefaultLdapRealm. Attackers can exploit this by directly concatenating user-supplied username input into the LDAP DN template without [truncated]
CVE-2026-25700 is a HIGH severity vulnerability in Apache Answer, with a CVSS score of 7.2. The vulnerability is caused by improper restriction of security token assignment, allowing previously issued administrative tokens to remain valid even after an administrator account was suspended, deleted, or deactivated. This issue affects Apache Answer through version 2.0.0. Users are recommended to upgrade to v [truncated]
CVE-2026-34905 is a MEDIUM-severity vulnerability in Apache Answer, a question-and-answer platform. The issue affects Apache Answer through version 2.0.0 and allows authenticated users to discover and access unlisted questions, their answers, comments, and revision history due to insufficient access restrictions on direct API endpoints for unlisted questions. The CVSS score for this vulnerability is 6.5.
CVE-2026-34033 is a MEDIUM severity vulnerability in Apache Answer through 2.0.0, allowing authenticated users to inject arbitrary HTML into emails sent to other users due to improper neutralization of script-related HTML tags. Users are recommended to upgrade to version 2.0.1 to fix the issue.
CVE-2026-34031 is a Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to unintended external requests and tracking by third-party servers. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
CVE-2026-33582 is a Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer through version 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
CVE-2026-25699 is a MEDIUM severity vulnerability in Apache Answer through 2.0.0. The issue arises from timeline-related APIs lacking proper authorization checks, which allowed regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue. The vulnerability has a CVSS score of 6.1 and was pub [truncated]
CVE-2026-25688 is a MEDIUM-severity vulnerability in Apache Answer, a Q&A platform. The issue, classified as CWE-87, involves improper neutralization of alternate XSS syntax. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. This vulnerability affects Apache Answer through version 2.0.0 and is fixed [truncated]
A Use After Free vulnerability was discovered in the Apache HTTP Server module mod_http2 (CVE-2026-48913). The vulnerability occurs when file handles are already exhausted. This issue affects Apache HTTP Server versions from 2.4.55 through 2.4.67, with a CVSS score of 7.3 and a severity rating of HIGH.
A Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
CVE-2026-44186 is a HIGH severity vulnerability in Apache HTTP Server's mod_proxy_ftp module. The issue is caused by an infinite loop with an unreachable exit condition, which can be triggered by an attacker-controlled backend FTP server. The vulnerability affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS scor [truncated]
CVE-2026-44185 is a Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server. This issue affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS score for this vulnerability is 7.3, with a severity rating of HIGH.
CVE-2026-44119 is an Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier. This vulnerability allows local .htaccess authors to read files with the privileges of the httpd user. The issue affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS score for this vulnerability is 5.5, with [truncated]
CVE-2026-43951 is a MEDIUM-severity vulnerability in Apache HTTP Server versions from 2.4.0 through 2.4.67. The vulnerability is caused by an out-of-bounds read issue when using mod_headers and mod_mime with multiple response languages.
CVE-2026-42536 is a Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content. This issue affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
CVE-2026-34356 is a Heap-based Buffer Overflow vulnerability in Apache HTTP Server. The vulnerability occurs with malicious backend servers and ProxyPassReverseCookie*. The issue affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS score for this vulnerability is 7.5, and the severity is classified as HIGH.
CVE-2026-34355 is a HIGH severity vulnerability in Apache HTTP Server 2.4.67 and earlier. The vulnerability is caused by a buffer overflow in mod_proxy_html, which allows an attack by an untrusted backend. The CVSS score is 7.5. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
CVE-2026-29167 is a Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS score for this vulnerability is 9.8, indicating a CRITICAL severity.
CVE-2026-50076 is a Deserialization of Untrusted Data vulnerability in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms. This vulnerability allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. The CVSS score for this vulner [truncated]
CVE-2026-45434 is a critical Apache OFBiz vulnerability affecting versions before 24.09.06. The issue is described as an improper authentication flaw in password-change logic that can lead to remote code execution. Because the CVSS 3.1 score is 9.8 and the vector indicates network exploitation without privileges or user interaction, affected OFBiz instances should be treated as urgent patch candidates.
CVE-2026-31909 is an information disclosure issue in Apache OFBiz affecting versions before 24.09.06. The supplied record points to CWE-200 and recommends upgrading to 24.09.06 to fix the issue.
CVE-2026-31378 is an Apache OFBiz vulnerability described as improper input validation. According to the supplied source corpus, it affects Apache OFBiz versions before 24.09.06, and Apache recommends upgrading to 24.09.06 to fix the issue. The available record does not provide a CVSS score or additional exploitation details, so defenders should treat this as a version-level remediation item and verify ex [truncated]
CVE-2026-29226 is a Server-Side Request Forgery (SSRF) vulnerability affecting Apache OFBiz before 24.09.06. The issue is associated with Content component operations and was published on 2026-05-19. Apache recommends upgrading to version 24.09.06, which fixes the issue.
CVE-2026-29220 is a path traversal issue in Apache OFBiz affecting versions before 24.09.06. Apache recommends upgrading to 24.09.06, which fixes the issue. The NVD record maps the weakness to CWE-22.
CVE-2026-39816 is a high-severity authorization issue in Apache NiFi’s optional TinkerpopClientService. In affected NiFi versions, the service can be configured without the Restricted annotation that should require Execute Code permission. In environments using fine-grained authorization, that means a user who lacks Execute Code permission may still be able to configure the service if the optional graph-s [truncated]
CVE-2026-25199 is a critical Apache CloudStack flaw in the Proxmox extension that can let a non-privileged tenant user gain unauthorized access to another tenant�s instance. The issue stems from use of a user-editable instance detail, proxmox_vmid, to bind CloudStack instances to Proxmox virtual machines. Because that value is not restricted or validated against tenant ownership and Proxmox VM IDs are pre [truncated]
CVE-2026-25077 affects Apache CloudStack deployments that use the KVM hypervisor. According to the vendor advisory and NVD record, account users can register templates that are downloaded directly to primary storage for instance deployment; missing file name sanitization can then allow malicious templates to execute arbitrary code on KVM hosts. Apache says upgrading to 4.20.3.0, 4.22.0.1, or later fixes the issue.
CVE-2025-69233 affects Apache CloudStack and was published on 2026-05-08, with a modification on 2026-05-09. The issue is a set of time-of-check time-of-use race conditions plus missing validations in resource count check and increment logic. In practice, that can let users exceed account or domain allocation limits, which may degrade infrastructure resources and create denial-of-service conditions. Apach [truncated]
CVE-2025-66467 is a high-severity Apache CloudStack issue where MinIO policy cleanup does not occur when a bucket is deleted. If another user later creates a bucket with the same name, the prior owner can keep using previously issued access and secret keys to reach the new bucket with unauthorized read and write access. Apache recommends upgrading to 4.20.3.0 or 4.22.0.1, or later.
CVE-2026-40948 describes an authentication-flow weakness in apache-airflow-providers-keycloak where the Keycloak login / callback handling did not generate or validate the OAuth 2.0 state parameter and did not use PKCE. In the documented scenario, an attacker with a Keycloak account in the same realm could steer a victim’s browser into a crafted callback URL and cause the victim to end up logged into the [truncated]
CVE-2026-34197 is a publicly listed Apache ActiveMQ flaw described as an improper input validation vulnerability and added to CISA’s Known Exploited Vulnerabilities catalog on 2026-04-16. Because CISA has designated it as actively exploited, defenders should treat exposure as urgent and follow Apache’s remediation guidance, with special attention to cloud-service guidance where applicable.
CVE-2026-32642 is an Incorrect Authorization (CWE-863) vulnerability in Apache Artemis and Apache ActiveMQ Artemis. The vulnerability occurs when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user who has the 'createDurableQueue' permission but does not have the 'createAddress' permission and addres [truncated]
CVE-2024-38475 is a known-exploited vulnerability affecting Apache HTTP Server. CISA added it to the Known Exploited Vulnerabilities catalog on 2025-05-01, which means defenders should treat it as a high-priority remediation item and follow vendor mitigation guidance.
CVE-2025-24813 is an Apache Tomcat path equivalence vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2025-04-01, indicating it should be treated as a high-priority defensive item. The available official guidance is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.
CVE-2024-45195 is an Apache OFBiz forced browsing vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2025-02-04. Because CISA identified it as known exploited, organizations using OFBiz should treat it as an active defensive priority and follow vendor guidance quickly. CISA’s KEV entry directs organizations to apply mitigations per vendor instructions or discontinue use of the [truncated]
CVE-2024-27348 is an Apache HugeGraph-Server improper access control issue that CISA added to its Known Exploited Vulnerabilities catalog on 2024-09-18. Because it is listed in KEV, defenders should treat it as a priority issue for exposed HugeGraph-Server deployments and any downstream products that incorporate it. CISA’s required action is to apply vendor mitigations or discontinue use if mitigations ar [truncated]
CVE-2024-38856 is an incorrect authorization issue in Apache OFBiz. CISA added it to the Known Exploited Vulnerabilities catalog on 2024-08-27, which makes it a high-priority issue for any organization running OFBiz. The supplied records do not include a CVSS score or fixed-version details, so defenders should rely on vendor guidance and the KEV-required action immediately.
CVE-2024-32113 is a path traversal vulnerability affecting Apache OFBiz. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2024-08-07, which means defenders should treat it as a high-priority issue and act by the 2024-08-28 due date.
CVE-2020-17519 is an Apache Flink improper access control vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2024-05-23. The CISA entry directs defenders to apply vendor mitigations or discontinue use of the product if mitigations are unavailable. Because the supplied corpus does not include affected versions, fixed releases, or a CVSS score, this debrief focuses on defensive [truncated]
CVE-2023-27524 is an Apache Superset vulnerability described as an insecure default initialization of a resource. The supplied official record is sparse on exploit mechanics and impact, but CISA added it to the Known Exploited Vulnerabilities catalog on 2024-01-08, which makes it a high-priority defensive issue. Treat any exposed Superset deployment as needing prompt validation, mitigation, or upgrade.
CVE-2023-46604 is a deserialization of untrusted data vulnerability in Apache ActiveMQ. CISA has placed it in the Known Exploited Vulnerabilities catalog and marked it as known ransomware campaign use, which makes this a high-priority issue for defenders. CISA’s required action is to apply vendor mitigations or discontinue use of the product if mitigations are unavailable.
CVE-2023-33246 is an Apache RocketMQ command execution vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2023-09-06. Because it is listed in KEV, defenders should treat it as an active risk and prioritize mitigation using vendor guidance or remove/discontinue use if mitigation is not available.
CVE-2016-8735 is recorded in the supplied corpus as an Apache Tomcat remote code execution vulnerability and is also listed in CISA’s Known Exploited Vulnerabilities catalog. For defenders, the practical takeaway is straightforward: treat it as a patch-now issue and follow vendor update guidance. The supplied source data does not provide a CVSS score, so prioritization here is driven by KEV status and the [truncated]
CVE-2021-45046 is a publicly listed Apache Log4j2 vulnerability described as deserialization of untrusted data. In the supplied CISA Known Exploited Vulnerabilities record, it is marked as known exploited and associated with known ransomware campaign use. CISA added it to the KEV catalog on 2023-05-01 and set a remediation due date of 2023-05-22, with the required action to apply updates per vendor instructions.
CVE-2022-33891 is a command injection vulnerability in Apache Spark that CISA added to its Known Exploited Vulnerabilities catalog on 2023-03-07. Because it is listed in KEV, defenders should treat it as actively exploited risk and prioritize remediation using vendor guidance.
CVE-2022-24706 is a publicly disclosed Apache CouchDB vulnerability described as an insecure default initialization of a resource. CISA added it to the Known Exploited Vulnerabilities catalog on 2022-08-25, which makes timely remediation a high priority for any organization running CouchDB.
CVE-2022-24112 is an Apache APISIX authentication bypass vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on the same day it was published. Because it is in the KEV list, defenders should treat it as a high-priority issue and follow vendor update guidance promptly.
CVE-2020-1956 is an Apache Kylin operating-system command injection vulnerability that CISA has listed in its Known Exploited Vulnerabilities catalog. Because it is on the KEV list, organizations using Apache Kylin should treat it as a high-priority remediation item and apply vendor updates per Apache instructions.
