Apache HTTP Server 2.4 powers millions of websites worldwide, but recent security audits have uncovered a alarming number of vulnerabilities that demand immediate attention. Our analysis reveals 212 documented CVEs affecting this version, with 41 classified as critical severity—meaning attackers could potentially gain unauthorized access, bypass authentication, or execute malicious code on your server. If your website runs Apache 2.4, this comprehensive guide will help you understand the risks and take action to protect your online presence.
The severity of these vulnerabilities cannot be overstated. From authentication bypass exploits to remote code execution flaws, the threats range from data breaches to complete system compromise. With 1,711 websites still running vulnerable versions of Apache 2.4, the time to act is now. In this guide, we'll walk you through identifying whether your site is at risk and implementing the essential security patches that will keep your infrastructure safe.
Apache HTTP Server (commonly called Apache) is the web server software that delivers web content from your server to visitors' browsers. Think of it as the digital postal worker—it receives requests for web pages and delivers them reliably. Apache 2.4 is a major version released to improve performance, security, and modern web standards support compared to earlier versions. Many businesses chose to deploy Apache 2.4 because it offered better handling of concurrent connections and improved SSL/TLS support for secure communications.
However, like all software, Apache 2.4 has undergone security patches throughout its lifecycle as researchers discovered vulnerabilities. These vulnerabilities are typically found in the core Apache code or in third-party libraries and modules that Apache uses to handle tasks like authentication, SSL encryption, and content type processing. When vulnerabilities are discovered but not patched, hackers can exploit them to compromise websites, steal data, or launch attacks against your visitors.
212 CVEs found. The most critical are explained below.
Apache Commons Configuration has a vulnerability where specially crafted YAML files can automatically run code on your server. If your website accepts or processes YAML files from users or external sources, attackers can abuse this to take control of your system.
Impact: An attacker could gain full control of your web server, steal customer data, modify website content, or use your server to attack other websites.
↗ View on NVDApache Groovy (a programming tool) contains a flaw that lets attackers run malicious code through specially crafted files. If your website uses Groovy to process user-uploaded files or data, this vulnerability creates a serious security gap.
Impact: Attackers can execute arbitrary code on your server, potentially stealing sensitive data or completely compromising your website.
↗ View on NVDA flaw in Apache httpd 2.4 allows third-party extensions to accidentally skip security checks that verify user login credentials. Users who shouldn't have access could potentially get through without proper authentication.
Impact: Unauthorized users could gain access to password-protected areas of your website without valid credentials, compromising user data and site security.
↗ View on NVDApache httpd 2.4 has a technical flaw where certain conditions can cause the HTTPS security layer to crash when processing requests. This happens due to third-party extensions interacting incorrectly with the HTTPS code.
Impact: Your website could experience crashes or become temporarily unavailable, disrupting service for customers and potentially exposing sensitive information.
↗ View on NVDApache httpd 2.4 has a flaw where malicious response headers can cause the server to read data from memory incorrectly. An attacker can craft a special response to trigger this vulnerability.
Impact: An attacker could potentially read sensitive data from server memory or cause your website to crash.
↗ View on NVDApache CXF (a web service tool) incorrectly validates security tokens in SOAP requests. An attacker can send an empty security token and bypass authentication checks designed to verify user identity.
Impact: Unauthorized users could bypass login requirements and gain access to protected services and data on your website.
↗ View on NVDShowing first 10 of 206. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2016-6814 | CRITICAL | 9.8 | 2018-01-18 | When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. t… |
| CVE-2018-1312 | CRITICAL | 9.8 | 2018-03-26 | In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random… |
| CVE-2018-8018 | CRITICAL | 9.8 | 2018-07-20 | In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possibl… |
| CVE-2020-9480 | CRITICAL | 9.8 | 2020-06-23 | In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, howev… |
| CVE-2020-11984 | CRITICAL | 9.8 | 2020-08-07 | Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE |
| CVE-2021-26691 | CRITICAL | 9.8 | 2021-06-10 | In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow |
| CVE-2021-30690 | CRITICAL | 9.8 | 2021-09-08 | Multiple issues in apache were addressed by updating apache to version 2.4.46. This issue is fixed in Security Update 2021-004 Mojave. Multiple issues in apache. |
| CVE-2021-39275 | CRITICAL | 9.8 | 2021-09-16 | ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules … |
| CVE-2021-41773 | CRITICAL | 9.8 | 2021-10-05 | A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories co… |
| CVE-2021-42013 | CRITICAL | 9.8 | 2021-10-07 | It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the director… |
| CVE-2021-37580 | CRITICAL | 9.8 | 2021-11-16 | A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and … |
| CVE-2021-44790 | CRITICAL | 9.8 | 2021-12-20 | A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an expl… |
| CVE-2021-45029 | CRITICAL | 9.8 | 2022-01-25 | Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. |
| CVE-2022-22720 | CRITICAL | 9.8 | 2022-03-14 | Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling |
| CVE-2022-23943 | CRITICAL | 9.8 | 2022-03-14 | Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP… |
| CVE-2022-31813 | CRITICAL | 9.8 | 2022-06-09 | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to … |
| CVE-2022-33980 | CRITICAL | 9.8 | 2022-07-06 | Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name… |
| CVE-2023-25690 | CRITICAL | 9.8 | 2023-03-07 | Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled … |
| CVE-2024-38474 | CRITICAL | 9.8 | 2024-07-01 | Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not direct… |
| CVE-2024-38476 | CRITICAL | 9.8 | 2024-07-01 | Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response hea… |
| CVE-2025-53606 | CRITICAL | 9.8 | 2025-08-08 | Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.… |
| CVE-2025-54539 | CRITICAL | 9.8 | 2025-10-16 | A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up to and including 2… |
| CVE-2026-27446 | CRITICAL | 9.8 | 2026-03-04 | Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to fo… |
| CVE-2026-28780 | CRITICAL | 9.8 | 2026-05-05 | Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP messa… |
| CVE-2017-9788 | CRITICAL | 9.1 | 2017-07-13 | In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between succe… |
| CVE-2019-10082 | CRITICAL | 9.1 | 2019-09-26 | In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. |
| CVE-2022-23944 | CRITICAL | 9.1 | 2022-01-25 | User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. |
| CVE-2022-22721 | CRITICAL | 9.1 | 2022-03-14 | If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. Thi… |
| CVE-2022-28615 | CRITICAL | 9.1 | 2022-06-09 | Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While … |
| CVE-2022-37865 | CRITICAL | 9.1 | 2022-11-07 | With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts usin… |
| CVE-2024-38475 | CRITICAL | 9.1 | 2024-07-01 | Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the s… |
| CVE-2024-45479 | CRITICAL | 9.1 | 2025-01-21 | SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue. |
| CVE-2025-23048 | CRITICAL | 9.1 | 2025-07-10 | In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configura… |
| CVE-2021-40438 | CRITICAL | 9.0 | 2021-09-16 | A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. |
| CVE-2022-36760 | CRITICAL | 9.0 | 2023-01-17 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP serv… |
| CVE-2012-2379 | HIGH | 10.0 | 2013-01-03 | Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure … |
| CVE-2016-6801 | HIGH | 8.8 | 2016-09-21 | Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3… |
| CVE-2022-37435 | HIGH | 8.8 | 2022-09-01 | Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4… |
| CVE-2022-40127 | HIGH | 8.8 | 2022-11-14 | A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. Thi… |
| CVE-2024-39877 | HIGH | 8.8 | 2024-07-17 | Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code i… |
| CVE-2026-24072 | HIGH | 8.8 | 2026-05-04 | An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are … |
| CVE-2026-23918 | HIGH | 8.8 | 2026-05-04 | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to ver… |
| CVE-2024-27135 | HIGH | 8.5 | 2024-03-12 | Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxe… |
| CVE-2024-27894 | HIGH | 8.5 | 2024-03-12 | The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported UR… |
| CVE-2022-45048 | HIGH | 8.4 | 2023-05-05 | Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. User… |
| CVE-2024-27317 | HIGH | 8.4 | 2024-03-12 | In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a … |
| CVE-2025-58098 | HIGH | 8.3 | 2025-12-05 | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. … |
| CVE-2020-11988 | HIGH | 8.2 | 2021-02-24 | Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argumen… |
| CVE-2021-44224 | HIGH | 8.2 | 2021-12-20 | A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy d… |
| CVE-2016-5387 | HIGH | 8.1 | 2016-07-19 | The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY envi… |
| CVE-2017-15715 | HIGH | 8.1 | 2018-03-26 | In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the … |
| CVE-2022-41672 | HIGH | 8.1 | 2022-10-07 | In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. |
| CVE-2021-40331 | HIGH | 8.1 | 2023-05-05 | An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the owner… |
| CVE-2024-38473 | HIGH | 8.1 | 2024-07-01 | Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentica… |
| CVE-2026-40563 | HIGH | 8.1 | 2026-05-04 | Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query st… |
| CVE-2019-0211 | HIGH | 7.8 | 2019-04-08 | In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by… |
| CVE-2013-2249 | HIGH | 7.5 | 2013-07-23 | mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requi… |
| CVE-2016-4979 | HIGH | 7.5 | 2016-07-06 | The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request author… |
| CVE-2016-8740 | HIGH | 7.5 | 2016-12-05 | The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows re… |
| CVE-2017-7668 | HIGH | 7.5 | 2017-06-20 | The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input st… |
| CVE-2017-9789 | HIGH | 7.5 | 2017-07-13 | When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially errati… |
| CVE-2017-7659 | HIGH | 7.5 | 2017-07-26 | A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. |
| CVE-2016-0736 | HIGH | 7.5 | 2017-07-27 | In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (… |
| CVE-2016-2161 | HIGH | 7.5 | 2017-07-27 | In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid … |
| CVE-2016-8743 | HIGH | 7.5 | 2017-07-27 | Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these differ… |
| CVE-2017-9798 | HIGH | 7.5 | 2017-09-18 | Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigur… |
| CVE-2014-0072 | HIGH | 7.5 | 2017-10-30 | ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordo… |
| CVE-2017-15710 | HIGH | 7.5 | 2018-03-26 | In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup … |
| CVE-2018-1303 | HIGH | 7.5 | 2018-03-26 | A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared m… |
| CVE-2018-1333 | HIGH | 7.5 | 2018-06-18 | By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Serv… |
| CVE-2018-8011 | HIGH | 7.5 | 2018-07-18 | By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. F… |
| CVE-2018-17199 | HIGH | 7.5 | 2019-01-30 | In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_s… |
| CVE-2019-0190 | HIGH | 7.5 | 2019-01-30 | A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denia… |
| CVE-2019-0215 | HIGH | 7.5 | 2019-04-08 | In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured a… |
| CVE-2019-0217 | HIGH | 7.5 | 2019-04-08 | In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate… |
| CVE-2020-11993 | HIGH | 7.5 | 2020-08-07 | Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong con… |
| CVE-2020-9490 | HIGH | 7.5 | 2020-08-07 | Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to… |
| CVE-2020-13950 | HIGH | 7.5 | 2021-06-10 | Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-… |
| CVE-2021-26690 | HIGH | 7.5 | 2021-06-10 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial O… |
| CVE-2021-31618 | HIGH | 7.5 | 2021-06-15 | Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 proto… |
| CVE-2021-33193 | HIGH | 7.5 | 2021-08-16 | A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP S… |
| CVE-2021-34798 | HIGH | 7.5 | 2021-09-16 | Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. |
| CVE-2021-36160 | HIGH | 7.5 | 2021-09-16 | A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 … |
| CVE-2022-23223 | HIGH | 7.5 | 2022-01-25 | On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. |
| CVE-2022-23945 | HIGH | 7.5 | 2022-01-25 | Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. |
| CVE-2022-22719 | HIGH | 7.5 | 2022-03-14 | A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. |
| CVE-2022-26650 | HIGH | 7.5 | 2022-05-17 | In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllab… |
| CVE-2022-26377 | HIGH | 7.5 | 2022-06-09 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP serv… |
| CVE-2022-29404 | HIGH | 7.5 | 2022-06-09 | In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input siz… |
| CVE-2022-30522 | HIGH | 7.5 | 2022-06-09 | If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory a… |
| CVE-2022-30556 | HIGH | 7.5 | 2022-06-09 | Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. |
| CVE-2006-20001 | HIGH | 7.5 | 2023-01-17 | A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the… |
| CVE-2023-27522 | HIGH | 7.5 | 2023-03-07 | HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the orig… |
| CVE-2023-28625 | HIGH | 7.5 | 2023-04-03 | mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 thr… |
| CVE-2023-39553 | HIGH | 7.5 | 2023-08-11 | Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an a… |
| CVE-2023-31122 | HIGH | 7.5 | 2023-10-23 | Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. |
| CVE-2023-43622 | HIGH | 7.5 | 2023-10-23 | An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to … |
| CVE-2024-24814 | HIGH | 7.5 | 2024-02-13 | mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In … |
| CVE-2024-38472 | HIGH | 7.5 | 2024-07-01 | SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to … |
| CVE-2024-38477 | HIGH | 7.5 | 2024-07-01 | null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to … |
| CVE-2024-39573 | HIGH | 7.5 | 2024-07-01 | Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. User… |
| CVE-2024-40898 | HIGH | 7.5 | 2024-07-18 | SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. User… |
| CVE-2024-42516 | HIGH | 7.5 | 2025-07-10 | HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server c… |
| CVE-2024-43204 | HIGH | 7.5 | 2025-07-10 | SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where … |
| CVE-2024-43394 | HIGH | 7.5 | 2025-07-10 | Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass u… |
| CVE-2024-47252 | HIGH | 7.5 | 2025-07-10 | Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in so… |
| CVE-2025-53020 | HIGH | 7.5 | 2025-07-10 | Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to up… |
| CVE-2025-55753 | HIGH | 7.5 | 2025-12-05 | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempt… |
| CVE-2025-59775 | HIGH | 7.5 | 2025-12-05 | Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to… |
| CVE-2026-34059 | HIGH | 7.5 | 2026-05-04 | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the … |
| CVE-2026-29169 | HIGH | 7.5 | 2026-05-04 | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used int… |
| CVE-2025-49812 | HIGH | 7.4 | 2025-07-10 | In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via… |
| CVE-2020-35452 | HIGH | 7.3 | 2021-06-10 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, … |
| CVE-2023-38709 | HIGH | 7.3 | 2024-04-04 | Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2… |
| CVE-2026-29168 | HIGH | 7.3 | 2026-05-05 | Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 thro… |
| CVE-2019-10097 | HIGH | 7.2 | 2019-09-26 | In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could… |
| CVE-2024-46910 | HIGH | 7.1 | 2025-02-13 | An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to v… |
| CVE-2012-0883 | MEDIUM | 6.9 | 2012-04-18 | envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Troj… |
| CVE-2014-0226 | MEDIUM | 6.8 | 2014-07-20 | Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obta… |
| CVE-2015-3330 | MEDIUM | 6.8 | 2015-06-09 | The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows… |
| CVE-2014-0229 | MEDIUM | 6.5 | 2017-03-23 | Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool,… |
| CVE-2014-3250 | MEDIUM | 6.5 | 2017-12-11 | The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information… |
| CVE-2017-15691 | MEDIUM | 6.5 | 2018-04-26 | In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vu… |
| CVE-2025-27391 | MEDIUM | 6.5 | 2025-04-09 | Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.… |
| CVE-2025-65082 | MEDIUM | 6.5 | 2025-12-05 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly super… |
| CVE-2026-33523 | MEDIUM | 6.5 | 2026-05-04 | HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.… |
| CVE-2015-1833 | MEDIUM | 6.4 | 2015-05-29 | XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.… |
| CVE-2024-24795 | MEDIUM | 6.3 | 2024-04-04 | HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchr… |
| CVE-2025-54090 | MEDIUM | 6.3 | 2025-07-23 | A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. |
| CVE-2024-39884 | MEDIUM | 6.2 | 2024-07-04 | A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under som… |
| CVE-2016-4975 | MEDIUM | 6.1 | 2018-08-14 | Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR o… |
| CVE-2019-10098 | MEDIUM | 6.1 | 2019-09-25 | In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to … |
| CVE-2019-10092 | MEDIUM | 6.1 | 2019-09-26 | In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be … |
| CVE-2020-1927 | MEDIUM | 6.1 | 2020-04-02 | In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to … |
| CVE-2022-43982 | MEDIUM | 6.1 | 2022-11-02 | In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. |
| CVE-2022-43985 | MEDIUM | 6.1 | 2022-11-02 | In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. |
| CVE-2022-45402 | MEDIUM | 6.1 | 2022-11-15 | In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. |
| CVE-2016-1546 | MEDIUM | 5.9 | 2016-07-06 | The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote a… |
| CVE-2018-1301 | MEDIUM | 5.9 | 2018-03-26 | A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP head… |
| CVE-2018-1302 | MEDIUM | 5.9 | 2018-03-26 | When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. T… |
| CVE-2018-11763 | MEDIUM | 5.9 | 2018-09-25 | In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout co… |
| CVE-2019-11989 | MEDIUM | 5.9 | 2019-07-19 | A security vulnerability in HPE IceWall SSO Agent Option and IceWall MFA (Agent module ) could be exploited remotely to cause a denial of service. The versions and platforms of Ag… |
| CVE-2021-32791 | MEDIUM | 5.9 | 2021-07-26 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID… |
| CVE-2021-38153 | MEDIUM | 5.9 | 2021-09-22 | Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more li… |
| CVE-2021-41159 | MEDIUM | 5.8 | 2021-10-21 | FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. All FreeRDP clients prior to version 2.4.1 using gateway connections (`/g… |
| CVE-2016-4976 | MEDIUM | 5.5 | 2017-03-29 | Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing. |
| CVE-2020-17521 | MEDIUM | 5.5 | 2020-12-07 | Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now supersed… |
| CVE-2020-13938 | MEDIUM | 5.5 | 2021-06-10 | Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows |
| CVE-2022-25169 | MEDIUM | 5.5 | 2022-05-16 | The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. |
| CVE-2022-30126 | MEDIUM | 5.5 | 2022-05-16 | In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specia… |
| CVE-2021-42597 | MEDIUM | 5.4 | 2022-09-16 | A Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Storage Unit Rental Management System PHP 8.0.10 , Apache 2.4.14, SURMS V 1.0 via the Add New Tenant List Rent … |
| CVE-2025-66200 | MEDIUM | 5.4 | 2025-12-05 | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scrip… |
| CVE-2018-1283 | MEDIUM | 5.3 | 2018-03-26 | In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their… |
| CVE-2018-17189 | MEDIUM | 5.3 | 2019-01-30 | In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server t… |
| CVE-2019-0220 | MEDIUM | 5.3 | 2019-06-11 | A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationM… |
| CVE-2019-0196 | MEDIUM | 5.3 | 2019-06-11 | A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison… |
| CVE-2020-1934 | MEDIUM | 5.3 | 2020-04-01 | In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. |
| CVE-2020-11985 | MEDIUM | 5.3 | 2020-08-07 | IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof the… |
| CVE-2020-13937 | MEDIUM | 5.3 | 2020-10-19 | Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3… |
| CVE-2019-17567 | MEDIUM | 5.3 | 2021-06-10 | Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regard… |
| CVE-2021-30641 | MEDIUM | 5.3 | 2021-06-10 | Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' |
| CVE-2021-32785 | MEDIUM | 5.3 | 2021-07-22 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID… |
| CVE-2021-41160 | MEDIUM | 5.3 | 2021-10-21 | FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes… |
| CVE-2022-28330 | MEDIUM | 5.3 | 2022-06-09 | Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. |
| CVE-2022-28614 | MEDIUM | 5.3 | 2022-06-09 | The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or a… |
| CVE-2022-37436 | MEDIUM | 5.3 | 2023-01-17 | Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. … |
| CVE-2024-40725 | MEDIUM | 5.3 | 2024-07-18 | A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar confi… |
| CVE-2026-33857 | MEDIUM | 5.3 | 2026-05-04 | Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4… |
| CVE-2026-34032 | MEDIUM | 5.3 | 2026-05-04 | Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to ver… |
| CVE-2026-33007 | MEDIUM | 5.3 | 2026-05-04 | A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward pr… |
| CVE-2011-2516 | MEDIUM | 5.0 | 2011-07-11 | Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to caus… |
| CVE-2013-6438 | MEDIUM | 5.0 | 2014-03-18 | The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, whic… |
| CVE-2014-0098 | MEDIUM | 5.0 | 2014-03-18 | The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation … |
| CVE-2012-5641 | MEDIUM | 5.0 | 2014-03-18 | Directory traversal vulnerability in the partition2 function in mochiweb_util.erl in MochiWeb before 2.4.0, as used in Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x b… |
| CVE-2014-0231 | MEDIUM | 5.0 | 2014-07-20 | The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a requ… |
| CVE-2014-3523 | MEDIUM | 5.0 | 2014-07-20 | Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is en… |
| CVE-2014-3581 | MEDIUM | 5.0 | 2014-10-10 | The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of ser… |
| CVE-2014-3583 | MEDIUM | 5.0 | 2014-12-15 | The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer ov… |
| CVE-2015-0228 | MEDIUM | 5.0 | 2015-03-08 | The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process… |
| CVE-2015-0253 | MEDIUM | 5.0 | 2015-07-20 | The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a de… |
| CVE-2015-3183 | MEDIUM | 5.0 | 2015-07-20 | The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smu… |
| CVE-2015-3184 | MEDIUM | 5.0 | 2015-08-12 | mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote ano… |
| CVE-2024-45478 | MEDIUM | 4.8 | 2025-01-21 | Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this… |
| CVE-2026-33006 | MEDIUM | 4.8 | 2026-05-04 | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.… |
| CVE-2021-32786 | MEDIUM | 4.7 | 2021-07-22 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID… |
| CVE-2021-39191 | MEDIUM | 4.7 | 2021-09-03 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID… |
| CVE-2022-23527 | MEDIUM | 4.7 | 2022-12-14 | mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When p… |
| CVE-2012-3502 | MEDIUM | 4.3 | 2012-08-22 | The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does … |
| CVE-2012-3451 | MEDIUM | 4.3 | 2012-09-24 | Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action Str… |
| CVE-2012-2378 | MEDIUM | 4.3 | 2013-01-05 | Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the clie… |
| CVE-2012-3499 | MEDIUM | 4.3 | 2013-02-26 | Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script … |
| CVE-2012-4558 | MEDIUM | 4.3 | 2013-02-26 | Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apach… |
| CVE-2013-4352 | MEDIUM | 4.3 | 2014-07-20 | The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP… |
| CVE-2014-0117 | MEDIUM | 4.3 | 2014-07-20 | The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via… |
| CVE-2014-0118 | MEDIUM | 4.3 | 2014-07-20 | The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attack… |
| CVE-2014-8109 | MEDIUM | 4.3 | 2014-12-29 | mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is us… |
| CVE-2015-3185 | MEDIUM | 4.3 | 2015-07-20 | The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authoriza… |
| CVE-2016-8612 | MEDIUM | 4.3 | 2018-03-09 | Apache HTTP Server mod_cluster before version httpd 2.4.23 is vulnerable to an Improper Input Validation in the protocol parsing logic in the load balancer resulting in a Segmenta… |
| CVE-2023-46288 | MEDIUM | 4.3 | 2023-10-23 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration informat… |
| CVE-2025-27427 | MEDIUM | 4.3 | 2025-04-01 | A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type support… |
| CVE-2026-32642 | MEDIUM | 4.3 | 2026-03-24 | Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable … |
| CVE-2026-40914 | MEDIUM | 4.3 | 2026-05-28 | A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address c… |
| CVE-2019-0197 | MEDIUM | 4.2 | 2019-06-11 | A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request fro… |
| CVE-2021-32792 | LOW | 3.1 | 2021-07-26 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID… |
| CVE-2012-2687 | LOW | 2.6 | 2012-08-22 | Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4… |
| CVE-2025-31492 | N/A | — | 2025-04-06 | mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prio… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
The discovery of 212 CVEs in Apache 2.4—including 41 critical vulnerabilities—represents a significant security risk for the 1,711 websites still running unpatched versions. These aren't theoretical threats; attackers actively exploit known vulnerabilities like CVE-2017-3167 (authentication bypass) and CVE-2017-3169 (NULL pointer dereference) to gain unauthorized access to web servers. Delaying your security updates increases the likelihood that your website will become a target, potentially exposing customer data, damaging your reputation, and violating compliance regulations.
Protecting your website requires more than just patching Apache—you need a comprehensive security strategy that includes regular vulnerability scanning, security monitoring, and proactive threat detection. SiteRecipe.com provides automated security scanning tools that identify vulnerabilities across your entire web infrastructure, track patch progress, and alert you immediately when new threats emerge. Don't wait for a breach to happen. Visit SiteRecipe.com today to scan your Apache servers, discover hidden vulnerabilities, and get step-by-step remediation guidance tailored to your specific environment.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.