Apache http server
This hub aggregates every CVE we track for Apache http server, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.
126
CVEs tracked
26
Critical
57
High
6
In CISA KEV
Severity distribution
HIGH57MEDIUM43CRITICAL26
Monthly trend
0
0
0
0
0
0
0
0
1
0
0
4
0
0
0
0
1
0
0
0
0
0
9
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Apache http server.
- CVE-2026-49975Apache HTTP Server: mod_http2 denial of service7.5
- CVE-2026-48913Apache HTTP Server: mod_http2 memory corruption when file handles exhausted7.3
- CVE-2026-42536Apache HTTP Server: mod_xml2enc heap overflow7.5
- CVE-2026-44185Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request`7.3
- CVE-2026-44631Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow9.8
- CVE-2026-44119Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules5.5
- CVE-2026-43951Apache HTTP Server: OOB Read in `merge_response_headers` can cause crash6.5
- CVE-2026-42535Apache HTTP Server: mod_dav_fs protected directory access9.1
- CVE-2026-44186Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp7.3
- CVE-2025-55753Apache HTTP Server: mod_md (ACME), unintended retry intervals7.5
- CVE-2025-54090Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.646.3
- CVE-2024-43394Apache HTTP Server: SSRF on Windows due to UNC paths7.5
- CVE-2024-43204Apache HTTP Server: SSRF with mod_headers setting Content-Type header7.5
- CVE-2024-42516Apache HTTP Server: HTTP response splitting7.5
- CVE-2025-3891Mod_auth_openidc: dos via empty post in mod_auth_openidc with oidcpreservepost enabled7.5
Product normalization is registry-driven with AI assist and human review. How it works