Apache security advisories
19 threat alerts tracking vulnerabilities and security advisories that affect Apache products.
Vulnios monitors Apache CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent Apache security news in one place, or click into an individual alert for full detail.
CVE-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing
Microsoft Security Response Center published an advisory on "CVE-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing". Topic areas: microsoft, windows, azure, patch. Published M
criticalCVE-2026-7262CVE-2026-6722 Use-After-Free in SOAP using Apache map
Microsoft Security Response Center published an advisory on "CVE-2026-6722 Use-After-Free in SOAP using Apache map". Topic areas: microsoft, windows, azure, patch. Published May 11, 2026. See the orig
criticalCVE-2026-6722CVE-2026-43869 Apache Thrift: TSSLTransportFactory.java hostname verification
Microsoft Security Response Center published an advisory on "CVE-2026-43869 Apache Thrift: TSSLTransportFactory.java hostname verification". Topic areas: microsoft, windows, azure, patch. Published Ma
criticalCVE-2026-43869CVE-2026-33109 Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
criticalCVE-2026-33109CVE-2026-33844 Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
criticalCVE-2026-33844CVE-2026-43870 Apache Thrift: Node.js web_server.js multi-vulnerability
criticalCVE-2026-43870CVE-2026-29168 Apache HTTP Server: mod_md unrestricted OCSP response
criticalCVE-2026-29168CVE-2026-24072 Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr
criticalCVE-2026-24072CVE-2026-29169 Apache HTTP Server: mod_dav_lock indirect lock crash
criticalCVE-2026-29169CVE-2026-33007 Apache HTTP Server: mod_authn_socache crash
criticalCVE-2026-33007CVE-2026-34032 Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
criticalCVE-2026-34032CVE-2026-23918 Apache HTTP Server: http2: double free and possible RCE on early reset
criticalCVE-2026-23918CVE-2026-33006 Apache HTTP Server: mod_auth_digest timing attack
criticalCVE-2026-33006CVE-2026-33523 Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line
criticalCVE-2026-33523CVE-2026-34059 Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()
criticalCVE-2026-34059CVE-2026-33857 Apache HTTP Server: Off-by-one OOB reads in AJP getter functions
criticalCVE-2026-33857CVE-2026-43868 Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern
criticalCVE-2026-43868DSA-6248-1 apache2 - security update
https://security-tracker.debian.org/tracker/DSA-6248-1
criticalUSN-8239-1: Apache HTTP Server vulnerabilities
Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache HTTP Server incorrectly handled certain memory operations when using the HTTP/2 protocol. A remote attacker could use this issue to
criticalCVE-2026-23918
Track Apache exposure across your environment
Vulnios automatically cross-references your asset inventory against new Apache CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan