VulnHub

Apache has addressed a serious vulnerability in its HTTP/2 implementation, identified as CVE-2026-23918, which has a CVSS score of 8.8. This vulnerability is a double-free error that could allow attackers to execute arbitrary code remotely. Any systems using the affected version of Apache's HTTP server could be at risk, which includes a wide range of web applications and services relying on this technology. It's crucial for organizations using Apache to apply the latest updates to prevent potential exploitation of this flaw. Users are advised to check their current versions and ensure they are running the patched releases to mitigate this risk effectively.

Recent updates to Apache MINA and the Apache HTTP Server have addressed several high-severity vulnerabilities, with the most critical flaw allowing remote attackers to execute arbitrary code. This vulnerability poses a significant risk to users of these software platforms, as it could lead to unauthorized access and control over affected systems. Organizations that rely on Apache MINA and the HTTP Server need to prioritize applying these patches to safeguard their infrastructure. The updates are essential not only for protecting sensitive data but also for ensuring the overall integrity of services running on these platforms. Users should stay vigilant and ensure their installations are up to date to mitigate potential risks.

Researchers have discovered a long-hidden vulnerability in Apache ActiveMQ Classic, a widely-used messaging server. This bug was identified with the help of Anthropic's Claude AI, marking a significant find after 13 years. The vulnerability could allow attackers to manipulate message queues, potentially leading to data leaks or service disruptions. Companies that rely on ActiveMQ for their messaging infrastructure should take this discovery seriously, as it affects their systems' security. Users are urged to review their configurations and apply any available updates to mitigate risks associated with this flaw.

A serious vulnerability has been identified in multiple versions of the Apache Struts 2 framework, tracked as CVE-2025-68493. This XML external entity injection flaw could allow attackers to gain unauthorized access to sensitive data, cause denial-of-service attacks, or execute server-side request forgery (SSRF) attacks. Organizations using affected versions of Apache Struts 2 are at risk, which could lead to significant data breaches and disruptions. The issue emphasizes the need for developers and system administrators to ensure their applications are updated and secure against such vulnerabilities. Immediate action is necessary to mitigate potential exploitation.

Atlassian has addressed a significant security vulnerability in Apache Tika, which affects several of its products including Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, and Jira. This flaw poses a risk as it could potentially allow attackers to exploit the software, putting user data at risk. The company has released software updates to patch the vulnerability, urging users to apply these updates promptly to ensure their systems remain secure. This incident underscores the importance of regularly updating software to protect against known vulnerabilities. Users of the affected products should prioritize these updates to safeguard their environments from potential exploitation.

The article discusses a dual campaign targeting GlobalProtect portals and SonicWall APIs, highlighting a critical XXE vulnerability found in Apache software. This vulnerability poses a significant risk, necessitating immediate attention from affected organizations to mitigate potential exploitation.