Apache HTTP Server 2.4.6 is running on approximately 9,000 websites worldwide, but it contains 37 known vulnerabilities—including 4 critical flaws that could compromise your entire server. These security gaps expose your website to script execution attacks, information disclosure, and unauthorized access. If your site is still using this outdated version, you're at significant risk of being hacked.
The good news is that upgrading is straightforward, and we'll walk you through every step. This guide will help you identify if you're vulnerable, understand the risks, and implement the necessary fixes to protect your business.
Apache HTTP Server is the most popular web server software on the internet, powering roughly 30% of all websites. It's the software that handles requests from visitors' browsers and delivers your web pages. Version 2.4.6, released in 2013, is an older iteration that many websites still use—often without realizing how outdated and vulnerable it has become.
Think of Apache like the front door to your house. An old, broken lock (outdated Apache version) is an invitation to intruders. Modern versions of Apache include security patches and features that close dangerous doors for attackers. Running 2.4.6 means you're using a version with decades-old locks, making it easy for cybercriminals to break in and steal data, inject malicious code, or take your site offline entirely.
37 CVEs found. The most critical are explained below.
Apache 2.4.59 and earlier has a flaw that lets attackers run script files that are hidden from normal web access. This happens through a trick in how Apache rewrites web addresses. Attackers could execute code on your server that you thought was protected.
Impact: An attacker could run malicious scripts on your server, potentially stealing data, modifying your website, or taking complete control of your hosting environment.
↗ View on NVDApache 2.4.59 and earlier can leak sensitive information through response headers from backend applications. Attackers could also trick your server into making unauthorized requests to internal systems or executing code locally.
Impact: Sensitive data like passwords or API keys could be exposed, or attackers could access internal systems that should be private, compromising your entire infrastructure.
↗ View on NVDIf your Apache server connects to another application server using AJP protocol, a malicious server could send specially crafted messages that corrupt Apache's memory. This happens in the mod_proxy_ajp module.
Impact: An attacker could crash your web server or execute arbitrary code with the privileges of the Apache user, resulting in potential data breach or service outage.
↗ View on NVDApache 2.4.35 through 2.4.63 with SSL/TLS has a flaw affecting servers hosting multiple websites with different security rules. Using TLS 1.3 session resumption, an attacker could bypass access controls meant to restrict certain clients.
Impact: Someone blocked from accessing part of your website could regain access by reusing previous login sessions, potentially accessing restricted content or accounts.
↗ View on NVDApache Jackrabbit WebDAV in versions 2.4.x before 2.4.6 lacks proper checks for forged requests. An attacker can trick a logged-in user's browser into performing unwanted actions on your website without their knowledge.
Impact: Attackers could change website content, delete files, create unauthorized accounts, or steal sensitive information while impersonating legitimate users.
↗ View on NVDApache 2.4.66 and earlier has a bug where local users who can modify .htaccess files can read any files on your server that the Apache process can access. This includes configuration files with passwords.
Impact: Local users or developers with limited access could steal sensitive information like database passwords, API keys, or customer data stored on your server.
↗ View on NVDShowing first 10 of 31. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2026-23918 | HIGH | 8.8 | 2026-05-04 | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to ver… |
| CVE-2025-58098 | HIGH | 8.3 | 2025-12-05 | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. … |
| CVE-2024-38473 | HIGH | 8.1 | 2024-07-01 | Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentica… |
| CVE-2024-38472 | HIGH | 7.5 | 2024-07-01 | SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to … |
| CVE-2024-38477 | HIGH | 7.5 | 2024-07-01 | null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to … |
| CVE-2024-39573 | HIGH | 7.5 | 2024-07-01 | Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. User… |
| CVE-2024-40898 | HIGH | 7.5 | 2024-07-18 | SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. User… |
| CVE-2024-42516 | HIGH | 7.5 | 2025-07-10 | HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server c… |
| CVE-2024-43204 | HIGH | 7.5 | 2025-07-10 | SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where … |
| CVE-2024-43394 | HIGH | 7.5 | 2025-07-10 | Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass u… |
| CVE-2024-47252 | HIGH | 7.5 | 2025-07-10 | Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in so… |
| CVE-2025-53020 | HIGH | 7.5 | 2025-07-10 | Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to up… |
| CVE-2025-55753 | HIGH | 7.5 | 2025-12-05 | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempt… |
| CVE-2025-59775 | HIGH | 7.5 | 2025-12-05 | Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to… |
| CVE-2026-34059 | HIGH | 7.5 | 2026-05-04 | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the … |
| CVE-2026-29169 | HIGH | 7.5 | 2026-05-04 | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used int… |
| CVE-2025-49812 | HIGH | 7.4 | 2025-07-10 | In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via… |
| CVE-2026-29168 | HIGH | 7.3 | 2026-05-05 | Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 thro… |
| CVE-2025-65082 | MEDIUM | 6.5 | 2025-12-05 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly super… |
| CVE-2026-33523 | MEDIUM | 6.5 | 2026-05-04 | HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.… |
| CVE-2015-1833 | MEDIUM | 6.4 | 2015-05-29 | XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.… |
| CVE-2025-54090 | MEDIUM | 6.3 | 2025-07-23 | A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. |
| CVE-2024-39884 | MEDIUM | 6.2 | 2024-07-04 | A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.  "AddType" and similar configuration, under som… |
| CVE-2025-66200 | MEDIUM | 5.4 | 2025-12-05 | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scrip… |
| CVE-2019-17567 | MEDIUM | 5.3 | 2021-06-10 | Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regard… |
| CVE-2024-40725 | MEDIUM | 5.3 | 2024-07-18 | A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar confi… |
| CVE-2026-33857 | MEDIUM | 5.3 | 2026-05-04 | Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4… |
| CVE-2026-34032 | MEDIUM | 5.3 | 2026-05-04 | Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to ver… |
| CVE-2026-33007 | MEDIUM | 5.3 | 2026-05-04 | A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward pr… |
| CVE-2026-33006 | MEDIUM | 4.8 | 2026-05-04 | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.… |
| CVE-2013-4352 | MEDIUM | 4.3 | 2014-07-20 | The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running Apache 2.4.6 is like leaving your front door unlocked while you sleep. The 4 critical vulnerabilities in this version allow attackers to execute scripts, steal sensitive information, and bypass security controls—potentially compromising your entire website and customer data. With 37 known CVEs and thousands of sites still vulnerable, hackers are actively targeting this version.
Upgrading to Apache 2.4.67 takes just minutes and eliminates nearly all these risks. Use SiteRecipe.com's vulnerability scanning tools to identify all outdated software on your server, prioritize fixes, and track your security improvements over time. Don't wait—upgrade today and protect your business from preventable attacks.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.