XWiki < 4.10.15 - Sensitive Information Disclosure

XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are...

XWiki < 4.10.15 - Information Disclosure

The Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki but not some protected...

Apache OFBiz < 18.12.07 - Local File Inclusion

Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07. id: CVE-2022-47501 info: name: Apache OFBiz 18.12.07 - Local File Inclusion author: your3cho severity:...

Apache Solr - Deserialization of Untrusted Data

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. id:...

Linux Distros Unpatched Vulnerability : CVE-2026-44825

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attack...

CVE-2026-44825

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

CVE-2026-44825

Summary (CVE-2026-44825) : Apache Solr’s Basic Authentication bootstrap tool (bin/solr auth enable) contains hardcoded credentials, enabling remote attackers to gain full administrative access for Solr clusters running versions 9.4.0–9.10.1 and 10.0.0. The root cause is the inclusion of default c...

CVE-2026-44825 Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

EUVD-2026-33602

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

CVE-2026-44825 Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

CVE-2026-44825

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

CVE-2026-44825

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

Apache Solr DataImportHandler <8.2.0 - Remote Code Execution

Apache Solr is vulnerable to remote code execution vulnerabilities via the DataImportHandler, an optional but popular module to pull in data from databases and other sources. The module has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug...

Apache Solr <=8.8.1 - Server-Side Request Forgery

Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler normally registered at "/replication" under a Solr core in Apache Solr has a "masterUrl" also "leaderUrl" alias parameter that is used to designate another ReplicationHandler on anothe...

Apache Solr security vulnerabilities

Apache Solr is a search server based on Lucene, developed by the Apache Foundation in the United States. This product supports faceted searching, vertical searching, and highlighting search results. Vulnerabilities exist in Apache Solr versions 9.4.0 through 9.10.1, as well as 10.0.0, due to...

Apache Solr <= 7.1 - XML Entity Injection

Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external...

PT-2026-45073

Name of the Vulnerable Software and Affected Versions Apache Solr versions 9.4.0 through 9.10.1 Apache Solr version 10.0.0 Description The Basic Authentication setup tool bin/solr auth enable contains hardcoded credentials. This allows a remote attacker to gain full administrative access to the...

Important: Red Hat Security Advisory: Red Hat Offline Knowledge Portal security and content update

Red Hat Offline Knowledge Portal security fixes, bug fixes, enhancements & content update This Red Hat Offline Knowledge Portal release upgrades from Solr 9.8.1 to Solr 10.0.0, and fixes several CVEs. It also includes content updates as of May 26 2026...

Apache Solr - Host Environment Variables Leak via Metrics API

Exposure of Sensitive Information to an Unauthorized Actor Vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users can specify which environment variables to hide, however, the default list is designed to wor...

CVE-2026-45083

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to th...