top of page
ALL POSTS
Apache HTTP/2 Critical Double-Free Vulnerability (CVE-2026-23918) Enables RCE and DoS Attacks
Key Findings Apache HTTP Server 2.4.66 contains CVE-2026-23918, a critical double-free vulnerability in HTTP/2 handling with a CVSS score of 8.8 The flaw enables both denial-of-service attacks and remote code execution under certain conditions Affected versions are patched in Apache 2.4.67 Exploitation requires minimal effort for DoS but RCE demands specific server configurations with APR mmap allocator MPM prefork mode is not affected, but HTTP/2's widespread deployment sign
May 62 min read
CVE-2025-60021: Apache bRPC Vulnerability Allows Remote Command Injection
Key Findings Apache has patched a vulnerability (CVE-2025-60021) in its bRPC C++ RPC framework The flaw allows remote command injection by manipulating the `extra_options` parameter in the `/pprof/heap` endpoint The vulnerability affects bRPC versions 1.11.0 through 1.14.0, and is rated as "Important" bRPC is widely used in high-performance systems for search, storage, ML, advertising, and recommendation Successful exploitation could allow attackers to execute remote commands
Jan 171 min read
Maximum-severity XXE vulnerability discovered in Apache Struts
Key Findings A critical XXE vulnerability (CVE-2025-66516) with a CVSS score of 10.0 was discovered in Apache Tika The vulnerability allows XML external entity attacks and affects Tika's core, PDF, and parser modules Attackers can embed a malicious XFA file inside a PDF to trigger the XXE injection in Tika Background Apache Tika is an open-source content analysis toolkit used to extract text, metadata, and structured information from various file types Tika is widely used in
Dec 6, 20251 min read
Apache Tika Hit by Critical XXE Bug (CVE-2025-66516, CVSS 10.0)
Key Findings A critical XML external entity (XXE) vulnerability, tracked as CVE-2025-66516, has been discovered in the Apache Tika toolkit. The vulnerability has a CVSS score of 10.0, indicating maximum severity. The flaw allows attackers to carry out XXE injection attacks by exploiting a crafted XFA file within a PDF document. The vulnerability affects multiple Apache Tika components, including the tika-core, tika-parser-pdf-module, and tika-parsers modules. This vulnerabili
Dec 5, 20252 min read
bottom of page
