MEIFP – Most Exploited Internet-Facing Products

Apache Software Foundation

Products: Apache ActiveMQ · Apache ActiveMQ All · Apache ActiveMQ Broker · Apache ActiveMQ Legacy OpenWire Module · Apache Camel · Apache CloudStack · Apache HTTP Server · Apache HugeGraph-Server · Apache OFBiz · Apache OpenMeetings · Apache Parquet Java · Apache Shiro · Apache Sling Servlets Resolver · Apache Solr · Apache Superset · Apache Tomcat

294.7

Score

CVEs

Active

PoC

KEV

Rank

Period:

Product:

CVE ID	Published	CVSS	Exploit	KEV	AC	PR	Auto	Score(hover)	Affected Products	Description
CVE-2026-49975	2026-06-08	7.5v3.1	POC	—	Low	None	YES	0.0	Apache HTTP Server	Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
CVE-2026-34020	2026-04-09	7.5v3.1	POC	—	Low	None	YES	0.0	Apache OpenMeetings	Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 bef
CVE-2026-34197	2026-04-07	8.8v3.1	ACTIVE		Low	Low	no	26.4	Apache ActiveMQApache ActiveMQ AllApache ActiveMQ Broker	Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations o
CVE-2026-23552	2026-02-23	9.1v3.1	POC	—	Low	None	YES	0.0	Apache Camel	Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy config
CVE-2025-23048	2025-07-10	9.1v3.1	POC	—	Low	None	YES	0.0	Apache HTTP Server	In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trus
CVE-2025-30065	2025-04-01	10.0v4.0	POC	—	Low	None	YES	0.0	Apache Parquet Java	Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.
CVE-2025-29891	2025-03-12	4.8v3.1	POC	—	High	None	no	0.0	Apache Camel	Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is
CVE-2025-24813	2025-03-10	10.0v3.1	ACTIVE		Low	None	no	31.2	Apache Tomcat	Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10
CVE-2025-27636	2025-03-09	5.6v3.1	POC	—	High	None	no	0.0	Apache Camel	Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS
CVE-2024-45195	2024-09-04	9.8v3.1	ACTIVE		Low	None	YES	40.6	Apache OFBiz	Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
CVE-2024-38856	2024-08-05	8.1v3.1	ACTIVE		Low	Low	YES	34.3	Apache OFBiz	Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met
CVE-2024-41107	2024-07-19	8.1v3.1	POC	—	High	None	no	0.0	Apache CloudStack	The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response wi
CVE-2024-38475	2024-07-01	9.1v3.1	ACTIVE		Low	None	YES	40.6	Apache HTTP Server	Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. S
CVE-2024-32113	2024-05-08	9.1v3.1	ACTIVE		Low	None	YES	40.6	Apache OFBiz	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.
CVE-2024-27348	2024-04-22	9.8v3.1	ACTIVE		Low	None	YES	40.6	Apache HugeGraph-Server	RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
CVE-2024-25065	2024-02-28	9.1v3.1	POC	—	Low	None	YES	0.0	Apache OFBiz	Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
CVE-2023-50386	2024-02-09	8.8v3.1	POC	—	Low	Low	no	0.0	Apache Solr	Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions
CVE-2024-23673	2024-02-06	8.5v3.1	POC	—	High	Low	no	0.0	Apache Sling Servlets Resolver	Malicious code execution via path traversal in Apache Software Foundation Apache Sling Servlets Resolver.This issue affects all version of Apache Sling Servlets Resolver before 2.11.0. However, whether a system is vulnerable to this attack depends on the exact configuration of the system. If the sys
CVE-2023-40610	2023-11-27	6.3v3.1	POC	—	High	Low	no	0.0	Apache Superset	Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement
CVE-2023-46604	2023-10-27	10.0v3.1	ACTIVE		Low	None	YES	40.6	Apache ActiveMQApache ActiveMQ Legacy OpenWire Module	The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cau

Each CVE: 10 pts base (Active only), boosted by:

KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3