Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Apache
Httpd

apache httpd Vulnerabilities: CVEs, CISA KEV & Security Advisories

113 CVEs

5 in CISA KEV

apache httpd Vulnerabilities

CVE security advisories and vulnerability history for httpd by apache.

113

Total CVEs

Published

5

In CISA KEV

Exploited in the wild

20

Public exploits

With known exploit

7.6

Avg CVSS

2016–2025

Last updated December 5, 2025

Overview

apache httpd has 113 published CVE records since 2016, of which 5 are in CISA's Known Exploited Vulnerabilities catalog and 20 have a known public exploit. The average CVSS base score across scored CVEs is 7.6.

This page aggregates every publicly disclosed vulnerability (CVE) affecting apache httpd, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Severity and exploitation

How the CVSS severity of apache httpd's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical8

High22

Medium8

Low0

75 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

5

5 of apache httpd's CVEs are confirmed exploited in the wild.

Public exploits

20

20 of apache httpd's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every apache httpd version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

Fixed in

7e926454793abd7d71b6afc8bd1ec1648752c6ad8 CVEs
15e7241fa52e86096ee061e1b7fca0cd8d6f53ee7 CVEs
e4a77ef6051b3fe22eafacbcf54855b178a0bddd5 CVEs
5ed6876d88a45356ea39ece729853fc9c9f37e2d4 CVEs
a751ae5cf6890cfd477f253390d09186386ea9883 CVEs
bbacd798d1494b5a99f4e3edab068ccc77b03b7e3 CVEs
c3ad18b7ee32da93eabaae7b94541d3c322643403 CVEs
34ae6b5c14599b0a2619ea29709e77f10ab073522 CVEs
3cdd2d84507d2a86eb5dab2eec96f1035bb76d6c2 CVEs
8201e867f1d4cdf61840625c6c4be901e3f1b6ba2 CVEs
fed3b8a079835cd63648d8903bc69243ce2c472a

Find a version

113 CVEs

Sort

Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...
CVE-2025-58098
Patch
CWE-201
High · CVSS 8.3
EPSS 0.0% (5th pct)2025-12-05
Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo
CVE-2025-66200
Patch
CWE-288
Medium · CVSS 5.4
EPSS 0.0% (13th pct)2025-12-05
Apache HTTP Server: CGI environment variable override
CVE-2025-65082
Patch
CWE-150
Medium · CVSS 6.5
EPSS 0.1% (35th pct)2025-12-05
Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF
CVE-2025-59775
Patch
CWE-918
High · CVSS 7.5
EPSS 0.1% (20th pct)2025-12-05
Apache HTTP Server: mod_md (ACME), unintended retry intervals
CVE-2025-55753
Patch
CWE-190
High · CVSS 7.5
EPSS 0.0% (15th pct)2025-12-05
Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64
CVE-2025-54090
Patch
CWE-253
Medium · CVSS 6.3
EPSS 0.9% (76th pct)2025-07-23
Apache HTTP Server: HTTP/2 DoS by Memory Increase
CVE-2025-53020
Patch
CWE-401
High · CVSS 7.5
EPSS 2.8% (86th pct)2025-07-10
Apache HTTP Server: mod_ssl TLS upgrade attack
CVE-2025-49812
Patch
CWE-287
High · CVSS 7.4
EPSS 0.4% (64th pct)2025-07-10
Apache HTTP Server: mod_proxy_http2 denial of service
CVE-2025-49630
Patch
CWE-617
High · CVSS 7.5
EPSS 3.5% (88th pct)2025-07-10
Apache HTTP Server: mod_ssl access control bypass with session resumption
CVE-2025-23048
Public exploit
Patch
CWE-284
Critical · CVSS 9.1
EPSS 0.1% (18th pct)2025-07-10
Apache HTTP Server: SSRF on Windows due to UNC paths
CVE-2024-43394
Patch
CWE-918
High · CVSS 7.5
EPSS 0.2% (48th pct)2025-07-10
Apache HTTP Server: mod_ssl error log variable escaping
CVE-2024-47252
Patch
CWE-150
High · CVSS 7.5
EPSS 0.7% (71th pct)2025-07-10
Apache HTTP Server: SSRF with mod_headers setting Content-Type header
CVE-2024-43204
Patch
CWE-918
High · CVSS 7.5
EPSS 0.7% (72th pct)2025-07-10
Apache HTTP Server: HTTP response splitting
CVE-2024-42516
Patch
CWE-20
High · CVSS 7.5
EPSS 0.9% (76th pct)2025-07-10
Medium vulnerability · 2024-07-18
CVE-2024-40725
Patch
CWE-668
Medium · CVSS 5.3
EPSS 25.1% (96th pct)2024-07-18
Critical vulnerability · 2024-07-18
CVE-2024-40898
Patch
CWE-918
Critical · CVSS 9.1
EPSS 0.7% (73th pct)2024-07-18
Medium vulnerability · 2024-07-04
CVE-2024-39884
Patch
Medium · CVSS 6.2
EPSS 0.2% (48th pct)2024-07-04
Apache HTTP Server: mod_rewrite proxy handler substitution
CVE-2024-39573
Patch
CWE-20
High · CVSS 7.5
EPSS 2.6% (86th pct)2024-07-01
Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
CVE-2024-38477
Patch
CWE-476
High · CVSS 7.5
EPSS 1.9% (84th pct)2024-07-01
Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38476
Patch
CWE-829
Critical · CVSS 9.8
EPSS 4.7% (90th pct)2024-07-01
Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.
CVE-2024-38475
CISA KEV
Public exploit
Patch
CWE-116
Added to CISA KEV 2025-05-01
Critical · CVSS 9.3
EPSS 93.9% (100th pct)2024-07-01
Apache HTTP Server weakness with encoded question marks in backreferences
CVE-2024-38474
Patch
CWE-116
High · CVSS 8.1
EPSS 1.0% (78th pct)2024-07-01
High vulnerability · 2024-07-01
CVE-2024-38473
Patch
CWE-116
High · CVSS 8.1
EPSS 88.4% (100th pct)2024-07-01
High vulnerability · 2024-07-01
CVE-2024-38472
Patch
CWE-918
High · CVSS 7.5
EPSS 90.6% (100th pct)2024-07-01
Medium vulnerability · 2024-07-01
CVE-2024-36387
Patch
CWE-476
Medium · CVSS 5.4
EPSS 0.2% (40th pct)2024-07-01
Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
CVE-2024-27316
Patch
CWE-770
High · CVSS 7.5
EPSS 87.6% (99th pct)2024-04-04
Apache HTTP Server: HTTP Response Splitting in multiple modules
CVE-2024-24795
Patch
CWE-113
Medium · CVSS 6.3
EPSS 1.1% (79th pct)2024-04-04
Apache HTTP Server: HTTP response splitting
CVE-2023-38709
Patch
CWE-1284
High · CVSS 7.3
EPSS 4.4% (89th pct)2024-04-04
Vulnerability · 2023-10-23
CVE-2023-31122
Patch
CWE-125
Unscored
EPSS 0.4% (61th pct)2023-10-23
Vulnerability · 2023-10-23
CVE-2023-43622
Public exploit
Patch
CWE-400
Unscored
EPSS 59.5% (98th pct)2023-10-23

Showing 30 of 113

Common weakness types

The CWE weakness categories most often found in apache httpd CVEs. Follow any weakness for its full explanation.

CWE-476NULL Pointer Dereference7 CVEs
CWE-918Server-Side Request Forgery (SSRF)6 CVEs
CWE-444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')5 CVEs
CWE-190Integer Overflow or Wraparound4 CVEs
CWE-20Improper Input Validation3 CVEs
CWE-116Improper Encoding or Escaping of Output3 CVEs
CWE-125Out-of-bounds Read3 CVEs
CWE-150Improper Neutralization of Escape, Meta, or Control Sequences2 CVEs

Disclosure activity by year

How many apache httpd CVEs were published each year.

2016

4

2017

11

2018

12

2019

15

2020

6

2021

18

2022

12

2023

7

2024

14

2025

14

Other apache products

Browse vulnerabilities for other products by apache.

http server338 CVEs tomcat256 CVEs airflow163 CVEs struts91 CVEs traffic server82 CVEs ofbiz74 CVEs trafficserver70 CVEs superset68 CVEs

All apache vulnerabilities

Frequently asked questions

Common questions about apache httpd vulnerabilities.

How many CVEs does apache httpd have?

apache httpd has 113 published CVE records since 2016.

How many apache httpd CVEs are in CISA KEV?

Yes — 5 of apache httpd's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Are there public exploits for apache httpd vulnerabilities?

Yes — 20 of apache httpd's CVEs have a known public exploit.

Which versions of apache httpd are affected?

77 distinct apache httpd versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in apache httpd CVEs?

apache httpd's CVEs most often map to these CWE weakness types: CWE-476 (NULL Pointer Dereference), CWE-918 (Server-Side Request Forgery (SSRF)), CWE-444 (Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')), CWE-190 (Integer Overflow or Wraparound).

How many critical apache httpd vulnerabilities are there?

apache httpd has 8 critical and 22 high-severity CVEs.

What is the average severity of apache httpd CVEs?

The average CVSS base score across apache httpd's scored CVEs is 7.6.

References

All apache vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track apache httpd vulnerabilities

Monitor new apache httpd vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References

2 CVEs

29c63b786ae028d82405421585e91283c8fa0da31 CVE

2d0e4eff04ea963128a41faaef21f987272e05a21 CVE

32a08e34411eef12ae60a7cbc3df3cb58e0c01351 CVE

4654faee107e0c3a830c204a1dc94700705e8e861 CVE

4cc27823899e070268b906ca677ee838d07cf67a1 CVE

5744b466c45d5324c60f122b02681813d44967491 CVE

75657ee41677d56a498e298b01d049aef5bf199f1 CVE

787378879acfb212ed4ff824bf9f767a24a5cb431 CVE

7e1212844f3100d90aea80d4fcd1621a17166a731 CVE

8064ccc50bffe86ad464246b9bfac7d78d7dbc1f1 CVE

9a6157d1e2f7ab15963020381054b48782bc18cf1 CVE

ab676a7a567d3c19c00f34f0764202ad92a3044b1 CVE

eb66efd6052801e2f10360c51787569da01858081 CVE

ecebcc035ccd8d0e2984fe41420d9e944f456b3c1 CVE

ef07cb031c6f8f7ac483c26fc858aad68c365fd91 CVE

f4c1e18ead5d642698034b831121cbb82b55f60e1 CVE

fb2bfbb77f1713d4f4e56b0e60d596d302befe991 CVE