Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation CNCF as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to...

CVE-2026-49328

Server-Side Request Forgery SSRF in the UrlImageConverter component of Apache Fesod Incubating fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to...

CVE-2026-49328 Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF

Server-Side Request Forgery SSRF in the UrlImageConverter component of Apache Fesod Incubating fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to...

PT-2026-45399

Name of the Vulnerable Software and Affected Versions Apache Fesod Incubating fesod-sheet versions prior to 2.0.2-incubating Description Server-Side Request Forgery SSRF in the UrlImageConverter component allows attackers to trigger outbound network requests to internal or restricted resources by...

ae.teletronics.nlp:entityextraction (=1.3), ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess (>=0.1.0 <=0.2.0) +1695 more potentially affected by CVE-2026-42027 via org.apache.opennlp:opennlp-tools (>=1.5.2-incubating <=2.5.8)

org.apache.opennlp:opennlp-tools MAVEN version =1.5.2-incubating, =0.1.0, =0.1.0, =2.12.1, =2.12.1, =19.9.0, =19.9.1, =19.9.1, =19.9.0, =19.9.0, =19.9.0, =19.9.0, =26.3.1 and more Source cves: CVE-2026-42027 Source advisory: OSV:GHSA-CX4M-2P55-RW7J...

Apache Atlas has a Code Injection Vulnerability

Description: Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Atlas. Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data. Affected...

GHSA-35XX-9XRG-GWHF Apache Atlas has a Code Injection Vulnerability

Description: Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Atlas. Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data. Affected...

ai.h2o:h2o-orc-parser (>=3.10.0.5 <=3.10.3.6), co.cask.hydrator:hive-plugins (>=1.2.0 <=2.1.2) +90 more potentially affected by CVE-2026-40563 via org.apache.atlas:atlas-intg (>=0.8-incubating <=2.4.0)

org.apache.atlas:atlas-intg MAVEN version =0.8-incubating, =3.10.0.5, =1.2.0, =0.1.1, =0.1.1, =0.1.1, =0.2.7, =2.2.0, =2.8.0 - io.github.hiverunner:hiverunner =7.0.0 - io.starburst.openx.data:json-serde =1.3.9-e.8 - io.starburst.openx.data:json-serde-cdh7-shim =1.3.9-e.8 -...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +3101 more potentially affected by CVE-2026-23901 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=2.0.6)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.27, =0.0.2, =0.0.27, =0.0.1, =1.0.2, =1.0.0, =1.0.5 and more Source cves: CVE-2026-23901 Source advisory: OSV:GHSA-C4QC-4Q9P-M9Q9...

GHSA-G358-G2PQ-C46J Apache Seata: Deserialization of untrusted Data in Apache Seata Server

Deserialization of Untrusted Data vulnerability in Apache Seata incubating. This issue affects Apache Seata incubating: 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue...

Apache Seata: Deserialization of untrusted Data in Apache Seata Server

Deserialization of Untrusted Data vulnerability in Apache Seata incubating. This issue affects Apache Seata incubating: 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue...

CVE-2025-53606

Deserialization of Untrusted Data vulnerability in Apache Seata incubating. This issue affects Apache Seata incubating: 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue...

CVE-2024-45505 Apache HertzBeat: Exists Native Deser RCE and file writing vulnerabilities

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in Apache HertzBeat incubating. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat incubating: before 1.6.1. Users are recommended to upgrade to versi...

SUSE CVE-2019-0202

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints...

K000130278: Apache Heron vulnerability CVE-2021-42010

Security Advisory Description Heron versions = 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue. CVE-2021-42010 Impact There is no impact; F5 products are not affected by this...

CVE-2021-42010 CRLF log injection

Heron versions = 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue...

CVE-2022-24294

CVE-2022-24294 affects Apache MXNet (incubating) prior to 1.9.1. The vulnerability is a regular-expression Denial of Service (ReDoS) in the MXNet RTC module (get_kernel path cited in sources) when loading a model with a specially crafted operator name, causing excessive resource consumption durin...

GHSA-R9PV-HG64-JQRP Exposure of Sensitive Information in Apache Storm Logviewer

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints...

cc.eamon.open:auth (=0.0.2), cn.acooly:acooly-auth-wechat-authenticator (=5.2.1) +819 more potentially affected by CVE-2020-17523 via org.apache.shiro:shiro-spring (>=1.0.0-incubating <=1.7.0)

org.apache.shiro:shiro-spring MAVEN version =1.0.0-incubating, =1.0.0, =1.0, =1.0, =1.0.0, =1.0.4 - cn.org.awcp:awcp-formdesigner-applicationImpl =1.0-RELEASE and more Source cves: CVE-2020-17523 Source advisory: OSV:GHSA-V98J-7CRC-WVRJ...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +2724 more potentially affected by CVE-2020-1957 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.5.1)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =1.0.0, =0.0.2, =0.0.21, =0.0.2, =0.0.1, =1.0.0, =0.1, =0.1, =0.1, =0.2 and more Source cves: CVE-2020-1957 Source advisory: OSV:GHSA-26GR-CVQ3-QXGF...