Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
ApacheHttp Server

300 matches found

CVE
CVEadded 2005/12/13 8:3 p.m.121 views

CVE-2005-3352

Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

4.3CVSS7.9AI score0.37141EPSS
CVE
CVEadded 2005/02/09 5:0 a.m.120 views

CVE-2004-0940

Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.

7.8CVSS8AI score0.04161EPSS
CVE
CVEadded 2007/08/23 10:17 p.m.118 views

CVE-2007-3847

The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read.

5CVSS9.2AI score0.04041EPSS
CVE
CVEadded 2008/01/12 12:46 a.m.118 views

CVE-2008-0005

mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding.

4.3CVSS8.6AI score0.0232EPSS
CVE
CVEadded 2003/04/02 5:0 a.m.115 views

CVE-2003-0083

Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability ...

5CVSS6.3AI score0.19383EPSS
CVE
CVEadded 2005/05/02 4:0 a.m.111 views

CVE-2005-1344

Buffer overflow in htdigest in Apache 2.0.52 may allow attackers to execute arbitrary code via a long realm argument. NOTE: since htdigest is normally only locally accessible and not setuid or setgid, there are few attack vectors which would lead to an escalation of privileges, unless htdigest is e...

7.5CVSS9.8AI score0.14331EPSS
CVE
CVEadded 2010/02/02 4:30 p.m.110 views

CVE-2010-0010

Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-ba...

6.8CVSS8.2AI score0.47445EPSS
CVE
CVEadded 2009/06/08 1:0 a.m.109 views

CVE-2009-0023

The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn mo...

4.3CVSS7.5AI score0.1007EPSS
CVE
CVEadded 2010/08/05 6:17 p.m.108 views

CVE-2010-2791

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportuni...

5CVSS6.1AI score0.08537EPSS
CVE
CVEadded 2015/07/20 11:59 p.m.108 views

CVE-2015-0253

The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation...

5CVSS7.9AI score0.08163EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.106 views

CVE-2001-1556

The log files in Apache web server contain information directly supplied by clients and does not filter or quote control characters, which could allow remote attackers to hide HTTP requests and spoof source IP addresses when logs are viewed with UNIX programs such as cat, tail, and grep.

5CVSS6.9AI score0.03202EPSS
CVE
CVEadded 2005/07/05 4:0 a.m.104 views

CVE-2005-2088

The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length ...

4.3CVSS5.8AI score0.81401EPSS
CVE
CVEadded 2004/03/03 5:0 a.m.102 views

CVE-2003-0987

mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.

7.5CVSS7.5AI score0.19648EPSS
CVE
CVEadded 2011/05/24 11:55 p.m.101 views

CVE-2011-1928

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by ...

4.3CVSS6.7AI score0.50389EPSS
CVE
CVEadded 1999/09/29 4:0 a.m.99 views

CVE-1999-0070

test-cgi program allows an attacker to list files on the server.

5CVSS6.7AI score0.69703EPSS
CVE
CVEadded 2006/01/06 11:0 p.m.97 views

CVE-2005-3357

mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.

5.4CVSS6.1AI score0.3724EPSS
CVE
CVEadded 2002/10/11 4:0 a.m.93 views

CVE-2002-0843

Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.

7.5CVSS9.5AI score0.03812EPSS
CVE
CVEadded 2003/04/11 4:0 a.m.93 views

CVE-2003-0132

A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.

5CVSS6.2AI score0.86718EPSS
CVE
CVEadded 2001/03/12 5:0 a.m.91 views

CVE-2001-0131

htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.

3.3CVSS6AI score0.00114EPSS
CVE
CVEadded 1999/09/29 4:0 a.m.88 views

CVE-1999-0067

phf CGI program allows remote command execution through shell metacharacters.

10CVSS7.2AI score0.91794EPSS
CVE
CVEadded 2002/10/11 4:0 a.m.86 views

CVE-2002-0839

The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the ...

7.2CVSS6.5AI score0.00124EPSS
CVE
CVEadded 2003/08/18 4:0 a.m.86 views

CVE-2003-0192

Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.

6.4CVSS9.3AI score0.15249EPSS
CVE
CVEadded 2004/05/04 4:0 a.m.84 views

CVE-2004-0174

Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."

7.5CVSS7.3AI score0.47089EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.83 views

CVE-2002-2029

PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string.

7.5CVSS7.3AI score0.71043EPSS
CVE
CVEadded 2004/10/20 4:0 a.m.82 views

CVE-2004-0747

Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.

7.8CVSS7.8AI score0.01127EPSS
CVE
CVEadded 1999/12/12 5:0 a.m.81 views

CVE-1999-0289

The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.

5CVSS7AI score0.01293EPSS
CVE
CVEadded 2004/09/01 4:0 a.m.80 views

CVE-2003-0016

Apache before 2.0.44, when running on unpatched Windows 9x and Me operating systems, allows remote attackers to cause a denial of service or execute arbitrary code via an HTTP request containing MS-DOS device names.

7.5CVSS7.7AI score0.43366EPSS
CVE
CVEadded 2009/04/23 5:30 p.m.80 views

CVE-2009-1191

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

5CVSS7.2AI score0.05134EPSS
CVE
CVEadded 2004/12/31 5:0 a.m.79 views

CVE-2004-0811

Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration.

7.5CVSS7.5AI score0.03739EPSS
CVE
CVEadded 2025/07/10 5:15 p.m.79 views

CVE-2025-23048

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trus...

9.1CVSS6.5AI score0.0003EPSS
CVE
CVEadded 1999/09/29 4:0 a.m.77 views

CVE-1999-0045

List of arbitrary files on Web host via nph-test-cgi script.

7.5CVSS6.9AI score0.13182EPSS
CVE
CVEadded 2000/10/13 4:0 a.m.76 views

CVE-2000-0505

The Apache 1.3.x HTTP server for Windows platforms allows remote attackers to list directory contents by requesting a URL containing a large number of / characters.

5CVSS6.6AI score0.46366EPSS
CVE
CVEadded 2004/09/01 4:0 a.m.76 views

CVE-2004-0113

Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.

5CVSS7.3AI score0.16532EPSS
CVE
CVEadded 2007/06/27 5:30 p.m.76 views

CVE-2007-1863

cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or...

5CVSS6.2AI score0.34512EPSS
CVE
CVEadded 2001/09/12 4:0 a.m.75 views

CVE-1999-1053

guestbook.pl cleanses user-inserted SSI commands by removing text between "" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".

7.5CVSS7.7AI score0.88012EPSS
CVE
CVEadded 2004/08/06 4:0 a.m.75 views

CVE-2004-0493

The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab charact...

6.4CVSS6.8AI score0.91151EPSS
CVE
CVEadded 2007/12/21 10:46 p.m.74 views

CVE-2007-6514

Apache HTTP Server, when running on Linux with a document root on a Windows share mounted using smbfs, allows remote attackers to obtain unprocessed content such as source files for .php programs via a trailing "" (backslash), which is not handled by the intended AddType directive.

4.3CVSS6.6AI score0.09678EPSS
CVE
CVEadded 2002/08/12 4:0 a.m.73 views

CVE-2002-0661

Directory traversal vulnerability in Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to read arbitrary files and execute commands via .. (dot dot) sequences containing \ (backslash) characters.

7.5CVSS7AI score0.91929EPSS
CVE
CVEadded 2004/09/17 4:0 a.m.72 views

CVE-2004-0809

The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.

5CVSS7.2AI score0.16458EPSS
CVE
CVEadded 2005/10/25 5:6 p.m.72 views

CVE-2005-2970

Memory leak in the worker MPM (worker.c) for Apache 2, in certain circumstances, allows remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections.

5CVSS6.2AI score0.08033EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.71 views

CVE-2001-1534

mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.

2.1CVSS6.4AI score0.00146EPSS
CVE
CVEadded 2005/02/09 5:0 a.m.71 views

CVE-2004-0942

Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters.

5CVSS9AI score0.81382EPSS
CVE
CVEadded 2005/05/10 4:0 a.m.71 views

CVE-2004-1834

mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information.

2.1CVSS6.6AI score0.00212EPSS
CVE
CVEadded 2002/02/02 5:0 a.m.70 views

CVE-2001-0925

The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoin...

5CVSS6.6AI score0.85462EPSS
CVE
CVEadded 2006/10/23 5:0 p.m.70 views

CVE-2003-1307

The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port. NOTE: the...

4.3CVSS6.4AI score0.00516EPSS
CVE
CVEadded 1999/09/29 4:0 a.m.69 views

CVE-1999-0071

Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.

7.5CVSS7.3AI score0.0215EPSS
CVE
CVEadded 2004/11/23 5:0 a.m.68 views

CVE-2004-0263

PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information.

5CVSS6.5AI score0.01657EPSS
CVE
CVEadded 2004/10/20 4:0 a.m.67 views

CVE-2004-0786

The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool.

5CVSS7.3AI score0.51084EPSS
CVE
CVEadded 2002/08/31 4:0 a.m.66 views

CVE-2000-1205

Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which d...

4.3CVSS6.6AI score0.05698EPSS
CVE
CVEadded 2005/04/27 4:0 a.m.66 views

CVE-2002-1658

Buffer overflow in htdigest in Apache 1.3.26 and 1.3.27 may allow attackers to execute arbitrary code via a long user argument. NOTE: since htdigest is normally only locally accessible and not setuid or setgid, there are few attack vectors which would lead to an escalation of privileges, unless htd...

4.6CVSS8.3AI score0.00202EPSS
Total number of security vulnerabilities300