59904 matches found
UBUNTU-CVE-2026-42778
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a stat...
PT-2026-46269
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...
UBUNTU-CVE-2026-42779
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname...
RockyLinux 10 : httpd (RLSA-2026:21433)
The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:21433 advisory. httpd: modproxyajp: heap-based buffer over-read and memory disclosure in ajpparsedata CVE-2026-34059 httpd: modproxyajp: heap-based buffer over-read du...
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Apache Tomcat Connectors vulnerability (USN-8369-1)
The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8369-1 advisory. It was discovered that Apache Tomcat Connectors used incorrect default permissions for shared memory on Unix-like...
Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Apache Commons Lang vulnerability (USN-8364-1)
The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8364-1 advisory. It was discovered that Apache Commons Lang incorrectly handled recursion in the ClassUtils.getClass...
PT-2026-46876
It was discovered that Apache HTTP Server incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause Apache HTTP Server to consume excessive resources, resulting in a denial of service...
ROOT-APP-PYPI-CVE-2025-68675 CVE-2025-68675 in rootio-apache-airflow - Patched by Root
Root has patched CVE-2025-68675 in the rootio-apache-airflow package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2023-25691 CVE-2023-25691 in rootio-apache-airflow-providers-google - Patched by Root
Root has patched CVE-2023-25691 in the rootio-apache-airflow-providers-google package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2023-25956 CVE-2023-25956 in rootio-apache-airflow-providers-amazon - Patched by Root
Root has patched CVE-2023-25956 in the rootio-apache-airflow-providers-amazon package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-50213 CVE-2025-50213 in rootio-apache-airflow-providers-snowflake - Patched by Root
Root has patched CVE-2025-50213 in the rootio-apache-airflow-providers-snowflake package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2023-34395 CVE-2023-34395 in rootio-apache-airflow-providers-odbc - Patched by Root
Root has patched CVE-2023-34395 in the rootio-apache-airflow-providers-odbc package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-30473 CVE-2025-30473 in rootio-apache-airflow-providers-common-sql - Patched by Root
Root has patched CVE-2025-30473 in the rootio-apache-airflow-providers-common-sql package for Root:PyPI. Multiple fixed versions available...
CVE-2026-47065
CVE-2026-47065 (Apache MINA context) describes two deserialization bypass issues: first, resolveProxyClass bypasses the accept/allow-list when JDK resolves proxy interfaces from a serialized proxy via ObjectInputStream.readProxyDesc(), and second, readClassDescriptor triggers static initializers ...
CVE-2026-47065 Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...
CVE-2026-47065 Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability has been codenamed HTTP/2 Bomb by Calif. "The vulnerable behavior exists in each server's...
Apache ShenYu Admin Unauth Access
Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. id: CVE-2022-23944 info: name: Apache ShenYu Admin Unauth Access author: cckuakilong severity: critical description: Apach...
Apache Tika < 1.1.8 - Header Command Injection
Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. i...
Apache Airflow OS Command Injection
Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI. id: CVE-2022-24288 info: name: Apache Airflow OS Command Injection...