Apache Hertzbeat
16 CVEs affecting Apache Hertzbeat. Latest disclosed: 2026-02-10. Critical: 3, High: 12.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-51653 | Critical | 9.8 | 2024-02-22 | Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The… |
CVE-2023-51389 | Critical | 9.8 | 2024-02-22 | Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuratio… |
CVE-2023-51388 | Critical | 9.8 | 2024-02-22 | Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security p… |
CVE-2026-24343 | High | 8.8 | 2026-02-10 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: from 1.7… |
CVE-2025-48208 | High | 8.8 | 2025-09-09 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . The attacker needs to have… |
CVE-2025-24404 | High | 8.8 | 2025-09-09 | XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with ac… |
CVE-2024-45505 | High | 8.8 | 2024-11-18 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). This vulnerability can onl… |
CVE-2024-41151 | High | 8.8 | 2024-11-18 | Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Ap… |
CVE-2024-42323 | High | 8.8 | 2024-09-21 | SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). This vulnerability can only be exploited by authorized attackers. This… |
CVE-2024-42362 | High | 8.8 | 2024-08-20 | Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. Th… |
CVE-2024-45791 | High | 7.5 | 2024-11-18 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are re… |
CVE-2024-42361 | High | 7.5 | 2024-08-20 | Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to downl… |
CVE-2023-51650 | High | 7.5 | 2023-12-22 | Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulner… |
CVE-2022-39337 | High | 7.5 | 2023-12-22 | Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1… |
CVE-2023-51387 | High | 7.2 | 2023-12-22 | Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be… |
CVE-2024-56736 | Medium | 6.5 | 2025-04-16 | Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended t… |