CVE-2026-34031 Apache Answer: The custom avatar was not properly validated

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to...

EUVD-2026-35370

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to...

CVE-2026-34031 Apache Answer: The custom avatar was not properly validated

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to...

CVE-2026-34031

CVE-2026-34031 concerns Apache Answer up to version 2.0.0, where the server fails to validate user-supplied image URLs used for profile avatars. This allows embedding arbitrary external content as avatars, potentially enabling unintended external requests and tracking by third-party servers. A fi...

EUVD-2026-35369

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are...

CVE-2026-33582 Apache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory error

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are...

CVE-2026-33582 Apache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory error

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are...

CVE-2026-33582

The CVE-2026-33582 issue affects Apache Answer up to version 2.0.0, where a crafted TIFF image can trigger excessive memory allocation during decoding, allowing an authenticated user to crash the server process. Upgrade to version 2.0.1 to fix the issue. The reported CVSS vector indicates MEDIUM ...

CVE-2026-25699

CVE-2026-25699 applies to Apache Answer up to version 2.0.0, where timeline-related APIs lacked proper authorization checks. This could allow regular authenticated users to access deleted, private, or unapproved content and its revision history. The issue is addressed by upgrading to version 2.0....

CVE-2026-25699 Apache Answer: Authorization Bypass in Timeline API

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and i...

CVE-2026-25688 Apache Answer: XSS in AI Answer Rendering

Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are...

CVE-2026-25688

CVE-2026-25688 describes an XSS vulnerability in Apache Answer. The issue is an improper neutralization of alternate XSS syntax in AI-generated responses rendered in the browser, affecting Apache Answer up to version 2.0.0. Affected behavior allows execution of malicious scripts when content is v...

EUVD-2026-35367

Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are...

CVE-2026-25688 Apache Answer: XSS in AI Answer Rendering

Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are...

GHSA-3244-J874-RHC2 vulnerabilities

Vulnerabilities for packages: apache-hop-fips, celeborn, management-api-for-apache-cassandra-4.0, management-api-for-apache-cassandra-4.1, seata, pinot, apache-hop, trino, thingsboard...

GHSA-6GHJ-FRRJ-JJJ3 vulnerabilities

Vulnerabilities for packages: apache-hop-fips, celeborn, management-api-for-apache-cassandra-4.0, management-api-for-apache-cassandra-4.1, seata, pinot, apache-hop, trino, thingsboard...

CVE-2026-44890 vulnerabilities

Vulnerabilities for packages: apache-hop-fips, celeborn, management-api-for-apache-cassandra-4.0, management-api-for-apache-cassandra-4.1, seata, pinot, apache-hop, trino, thingsboard...

CVE-2026-44250 vulnerabilities

Vulnerabilities for packages: apache-hop-fips, celeborn, management-api-for-apache-cassandra-4.0, management-api-for-apache-cassandra-4.1, seata, pinot, apache-hop, trino, thingsboard...

Apache Tapestry - Remote Code Execution

Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the...

Apache Druid - Local File Inclusion

Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of t...