2,972 CVEs

44 in CISA KEV

apache Vulnerabilities

CVE security advisories and vulnerability history for apache.

2,972

Total CVEs

Published

44

In CISA KEV

Exploited in the wild

385

Public exploits

With known exploit

7.3

Avg CVSS

1999–2026

Overview

apache has 2,972 published CVE records since 1999, of which 44 are in CISA's Known Exploited Vulnerabilities catalog and 385 have a known public exploit. The average CVSS base score across scored CVEs is 7.3.

This page aggregates every publicly disclosed vulnerability (CVE) affecting apache products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of apache's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical228

High437

Medium407

Low29

1,871 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

44

44 of apache's CVEs are confirmed exploited in the wild.

Public exploits

385

385 of apache's CVEs have a known public exploit available.

Most affected products

The apache products with the most published CVEs.

http server340 CVEs
debian linux315 CVEs
tomcat256 CVEs
org.apache.tomcat:tomcat158 CVEs
fedora154 CVEs
ubuntu linux148 CVEs
airflow146 CVEs
Apache HTTP Server121 CVEs

Common weakness types

The CWE weakness categories most often found in apache CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish apache CVE records.

Disclosure activity by year

How many apache CVEs were published each year.

2019

172

2020

167

2021

211

2022

223

2023

301

2024

267

2025

221

2026

233

Latest apache CVEs

The most recently disclosed vulnerabilities affecting apache.

Apache Artemis Stomp Protocol, Apache ActiveMQ Artemis Stomp Protocol: Address routing-type can be updated by STOMP protocol user without the createAddress permission
CWE-863
Medium · CVSS 4.3
EPSS 0.1%2026-05-28
Apache Ignite: REST HTTP arbitrary file read vulnerability
CWE-23
High · CVSS 8.5
EPSS 0.0%2026-05-28
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
CWE-601
Unscored
EPSS 0.1%2026-05-25
Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
CWE-601
Medium · CVSS 5.1
EPSS 0.1%2026-05-25
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
CWE-614
Medium · CVSS 5.9
EPSS 0.0%2026-05-25
Apache Shiro: Session fixation: new session is not created after login by default
CWE-384
Medium · CVSS 5.9
EPSS 0.1%2026-05-25
Apache Syncope: JexlContextBuilder Information Disclosure
CWE-202
Medium · CVSS 4.9
EPSS 0.1%2026-05-25
Apache Syncope: Post-auth RCE via Groovy static
CWE-653
High · CVSS 7.2
EPSS 0.1%2026-05-25
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
CWE-90
Medium · CVSS 5.3
EPSS 0.2%2026-05-25
Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
CWE-322
High · CVSS 8.1
EPSS 0.1%2026-05-25
Apache ECharts: XSS in Lines series tooltip rendering
CWE-79
Medium · CVSS 6.1
EPSS 0.1%2026-05-25
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
CWE-20
High · CVSS 7.5
EPSS 0.2%2026-05-22

Track new apache CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor apache CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

mozilla3,612 CVEs opensuse3,298 CVEs Siemens3,230 CVEs Qualcomm, Inc.2,934 CVEs hp2,526 CVEs netapp2,517 CVEs qualcomm2,477 CVEs Huawei2,355 CVEs

Browse all vendors

Frequently asked questions

Common questions about apache vulnerabilities.

How many CVEs does apache have?

apache has 2,972 published CVE records since 1999, including 454 in the last two years.

How many apache CVEs are in CISA KEV?

Yes — 44 of apache's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which apache products have the most CVEs?

The apache products with the most published CVEs are http server, debian linux, tomcat, org.apache.tomcat:tomcat, fedora.

What are the most common weakness types in apache CVEs?

apache's CVEs most often map to these CWE weakness types: CWE-502 (Deserialization of Untrusted Data), CWE-20 (Improper Input Validation), CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Are there public exploits for apache vulnerabilities?

Yes — 385 of apache's CVEs have a known public exploit.

How many critical apache vulnerabilities are there?

apache has 228 critical and 437 high-severity CVEs.

What is the average severity of apache CVEs?

The average CVSS base score across apache's scored CVEs is 7.3.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track apache vulnerabilities

Monitor new apache vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing