Filtered by vendor Apache Subscriptions
Total 3062 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-23907 1 Apache 2 Pdfbox, Pdfbox Examples 2026-04-16 5.3 Medium
This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.
CVE-2026-24733 2 Apache, Apache Tomcat 2 Tomcat, Apache Tomcat 2026-04-16 6.5 Medium
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
CVE-2026-24734 2 Apache, Apache Tomcat 3 Tomcat, Tomcat Native, Apache Tomcat 2026-04-16 7.4 High
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
CVE-2026-3234 2 Apache, Redhat 3 Mod Proxy Cluster, Enterprise Linux, Jboss Core Services 2026-04-16 4.3 Medium
A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoint responses. Exploitation requires network access to the MCMP protocol port, but no authentication is needed.
CVE-2005-0088 2 Apache, Redhat 2 Mod Python, Enterprise Linux 2026-04-16 N/A
The publisher handler for mod_python 2.7.8 and earlier allows remote attackers to obtain access to restricted objects via a crafted URL.
CVE-2004-0809 8 Apache, Debian, Gentoo and 5 more 12 Http Server, Debian Linux, Linux and 9 more 2026-04-16 N/A
The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.
CVE-2001-0729 1 Apache 1 Http Server 2026-04-16 N/A
Apache 1.3.20 on Windows servers allows remote attackers to bypass the default index page and list directory contents via a URL with a large number of / (slash) characters.
CVE-2001-0730 2 Apache, Redhat 3 Http Server, Linux, Secure Web Server 2026-04-16 N/A
split-logfile in Apache 1.3.20 allows remote attackers to overwrite arbitrary files that end in the .log extension via an HTTP request with a / (slash) in the Host: header.
CVE-2000-1204 1 Apache 1 Http Server 2026-04-16 N/A
Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root.
CVE-2001-0829 1 Apache 1 Tomcat 2026-04-16 N/A
A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message.
CVE-2001-0590 1 Apache 1 Tomcat 2026-04-16 N/A
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
CVE-2004-0493 6 Apache, Avaya, Gentoo and 3 more 9 Http Server, Converged Communications Server, S8300 and 6 more 2026-04-16 N/A
The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.
CVE-2002-1156 1 Apache 1 Http Server 2026-04-16 N/A
Apache 2.0.42 allows remote attackers to view the source code of a CGI script via a POST request to a directory with both WebDAV and CGI enabled.
CVE-2002-2009 1 Apache 1 Tomcat 2026-04-16 N/A
Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message.
CVE-2002-1895 1 Apache 1 Tomcat 2026-04-16 N/A
The servlet engine in Jakarta Apache Tomcat 3.3 and 4.0.4, when using IIS and the ajp1.3 connector, allows remote attackers to cause a denial of service (crash) via a large number of HTTP GET requests for an MS-DOS device such as AUX, LPT1, CON, or PRN.
CVE-1999-0070 1 Apache 1 Http Server 2026-04-16 N/A
test-cgi program allows an attacker to list files on the server.
CVE-2004-0885 2 Apache, Redhat 6 Http Server, Enterprise Linux, Network Proxy and 3 more 2026-04-16 N/A
The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.
CVE-2001-0131 2 Apache, Debian 2 Http Server, Debian Linux 2026-04-16 2.9 Low
htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.
CVE-2003-0789 2 Apache, Redhat 2 Http Server, Linux 2026-04-16 N/A
mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not properly handle CGI redirect paths, which could cause Apache to send the output of a CGI program to the wrong client.
CVE-2000-1206 1 Apache 1 Http Server 2026-04-16 N/A
Vulnerability in Apache httpd before 1.3.11, when configured for mass virtual hosting using mod_rewrite, or mod_vhost_alias in Apache 1.3.9, allows remote attackers to retrieve arbitrary files.