apache
CVE Numbering Authority
Latest CVE published
Overview
apache is a CVE Numbering Authority that has published 1,788 CVE records since 2016. It is currently classified as active, with 487 CVEs published in the last two years. Its CVE data quality is graded D (65.2% overall completeness).
Among the 370 CNAs tracked here, apache ranks #28 by CVE volume and reports more complete records than 17% of all CNAs.
Data quality report card
How complete and consistent apache's CVE records are, scored across vendor, product, CVSS, and CWE coverage.
A CVE record only requires a description to be published. “Completeness” measures how often apache also fills in the optional — but extremely useful — fields that make a vulnerability actually actionable: the affected vendor and product, a CVSS severity score, and a CWE weakness type. A higher score means more of this CNA’s CVEs include those details, so defenders spend less time enriching records by hand.
Report card grade
65.2%
Overall score
What these scores mean
- Vendor completeness
- The share of this CNA's CVEs that name an affected vendor.
- Product completeness
- The share that name a specific affected product.
- CVSS completeness
- The share that include a CVSS severity score.
- CWE completeness
- The share mapped to a CWE weakness type.
- Update rate
- How often this CNA revises CVE records after first publishing them.
- Vendor diversity
- How many distinct vendors this CNA publishes CVEs for.
Severity and exploitation
How the CVSS severity of apache's published CVEs breaks down, and how many are known to be exploited in the wild.
2 additional CVEs have no CVSS severity score.
In CISA’s Known Exploited Vulnerabilities catalog
34
34 of apache's CVEs are confirmed exploited in the wild and carry a CISA remediation deadline.
Common weakness types
The CWE weakness categories apache most often assigns to its CVEs. Follow any weakness to its full explanation.
- CWE-20Improper Input Validation143 CVEs
- CWE-502Deserialization of Untrusted Data125 CVEs
- CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')70 CVEs
- CWE-200Exposure of Sensitive Information to an Unauthorized Actor67 CVEs
- CWE-863Incorrect Authorization52 CVEs
- CWE-918Server-Side Request Forgery (SSRF)47 CVEs
- CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')44 CVEs
- CWE-94Improper Control of Generation of Code ('Code Injection')41 CVEs
Publishing activity by year
How many CVEs apache has published each year.
Top vendors
The vendors apache publishes the most CVEs for.
- Apache Software Foundation2,196 CVEs
- debian190 CVEs
- oracle172 CVEs
- netapp123 CVEs
- Red Hat98 CVEs
- fedoraproject87 CVEs
- canonical54 CVEs
- openSUSE22 CVEs
Top products
The products apache publishes the most CVEs for.
- debian linux190 CVEs
- Airflow182 CVEs
- Apache Airflow136 CVEs
- http_server134 CVEs
- Apache HTTP Server124 CVEs
- Tomcat121 CVEs
- Apache Tomcat115 CVEs
- httpd115 CVEs
Latest CVEs
The most recent CVEs assigned by apache.
- CVE-2026-59173CWE-400
Apache Traffic Server: DoS vulnerability in HTTP/2 via stalled flow-control conditions
Unscored2026-07-18 - CVE-2026-62764CWE-274
Apache Accumulo: A user can trigger a graceful shutdown of services without the relevant system permissions
Medium · CVSS 5.7EPSS 0.3%2026-07-17 - CVE-2026-26032CWE-22
Apache Ivy: PackagerResolver path traversal vulnerability
Medium · CVSS 5.4EPSS 0.6%2026-07-15 - CVE-2026-57821CWE-89
Apache Fineract: Office list: SQL Injection via Subquery in orderBy
High · CVSS 8.1EPSS 0.8%2026-07-15 - CVE-2026-35152CWE-89
Apache Fineract: SQL injection in runreports endpoint
High · CVSS 8.8EPSS 3.5%2026-07-15 - CVE-2026-56287CWE-89
Apache Fineract: Boolean SQL Injection in Client Search API (orderBy parameter) leading to Local File Disclosure
High · CVSS 8.1EPSS 0.7%2026-07-15 - CVE-2026-49488CWE-22
Apache OpenMeetings: Arbitrary File Read
Medium · CVSS 6.5EPSS 0.7%2026-07-14 - CVE-2026-62393CWE-280
Apache Kylin: Improper authorization in job information retrieval
Medium · CVSS 4.3EPSS 0.5%2026-07-14 - CVE-2026-62392CWE-78
Apache Kylin: OS Command Injection via Async Query API
Critical · CVSS 9.8EPSS 1.8%2026-07-14 - CVE-2026-62390CWE-89
Apache Kylin: SQL Injection Vulnerability in Catalog Cache Refresh API
Critical · CVSS 9.8EPSS 0.7%2026-07-14 - CVE-2026-58319CWE-306
Apache Doris: Improper Authentication in Frontend HTTP API
Critical · CVSS 9.1EPSS 0.6%2026-07-14 - CVE-2026-59084CWE-1059
Apache Tomcat: EncryptInterceptor requirements not clearly documented
Critical · CVSS 9.1EPSS 0.4%2026-07-14
Track new apache CVEs as they are published and get AI-written analysis and remediation guidance.
Monitor apache CVEsOther CNAs
Compare data quality across other CVE Numbering Authorities.
Frequently asked questions
Common questions about the apache CNA.
- What is the apache CNA?
- apache is a CVE Numbering Authority (CNA) — an organization authorized to assign CVE IDs to vulnerabilities in its scope. It has published 1,788 CVE records since 2016.
- How many CVEs has apache published?
- apache has published 1,788 CVE records, including 487 in the last two years.
- What is apache's CVE data quality grade?
- RadicalNotion.AI grades apache's CVE data quality as D, with an overall completeness score of 65.2%. This reflects how consistently its CVE records include vendor (92.2%), product (99.8%), CVSS (7.3%), and CWE (61.6%) information.
- What products does apache publish CVEs for?
- apache most frequently publishes CVEs for debian linux, Airflow, Apache Airflow, http_server, Apache HTTP Server.
- Which vendors does apache cover?
- apache publishes CVEs across 9 distinct vendors, most often Apache Software Foundation, debian, oracle, netapp, Red Hat.
- Is apache actively publishing CVEs?
- apache is currently active, based on 487 CVEs in the last two years.
- What is the average severity of apache's CVEs?
- The average CVSS base score across apache's scored CVEs is 6.4.
- How many critical CVEs has apache published?
- apache has published 491 critical-severity CVEs and 899 high-severity CVEs.
- Are any of apache's CVEs in CISA's Known Exploited Vulnerabilities catalog?
- Yes. 34 of apache's CVEs are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning they are confirmed to be exploited in the wild.
- What are the most common weakness types in apache's CVEs?
- apache's CVEs most often map to these CWE weakness types: CWE-20 (Improper Input Validation), CWE-502 (Deserialization of Untrusted Data), CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
- How does apache rank among CNAs?
- By total CVE volume, apache ranks #28 of 370 CNAs, and it reports more complete CVE records than 17% of all CNAs.
References
- Official CVE.org list of CNA partners (opens in a new tab)
- Learn: What is a CNA?
- CWE directory: the weakness types this CNA maps its CVEs to
CNA report-card grades are computed by RadicalNotion.AI from published CVE records. CVE data is sourced from the CVE Program.
Track apache CVEs
Monitor new vulnerabilities as this CNA publishes them, with AI-written analysis and remediation guidance.