Apache Http_server
87 CVEs affecting Apache Http_server. Latest disclosed: 2026-05-05. Critical: 6, High: 15.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-28780 | Critical | 9.8 | 2026-05-05 | Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a… |
CVE-2017-7679 | Critical | 9.8 | 2017-06-20 | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response… |
CVE-2017-3169 | Critical | 9.8 | 2017-06-20 | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection()… |
CVE-2017-3167 | Critical | 9.8 | 2017-06-20 | In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may l… |
CVE-2009-3555 | Critical | 9.8 | 2009-11-09 | The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Serve… |
CVE-2017-9788 | Critical | 9.1 | 2017-07-13 | In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset bef… |
CVE-2026-23918 | High | 8.8 | 2026-05-04 | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommend… |
CVE-2026-24072 | High | 8.8 | 2026-05-04 | An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the htt… |
CVE-2016-5387 | High | 8.1 | 2016-07-19 | The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in… |
CVE-2026-29169 | High | 7.5 | 2026-05-04 | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_… |
CVE-2026-34059 | High | 7.5 | 2026-05-04 | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4… |
CVE-2017-9798 | High | 7.5 | 2017-09-18 | Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has… |
CVE-2016-8743 | High | 7.5 | 2017-07-27 | Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Ac… |
CVE-2016-2161 | High | 7.5 | 2017-07-27 | In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for… |
CVE-2016-0736 | High | 7.5 | 2017-07-27 | In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB… |
CVE-2017-7659 | High | 7.5 | 2017-07-26 | A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. |
CVE-2017-9789 | High | 7.5 | 2017-07-13 | When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting i… |
CVE-2017-7668 | High | 7.5 | 2017-06-20 | The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the… |
CVE-2016-8740 | High | 7.5 | 2016-12-05 | The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header len… |
CVE-2016-4979 | High | 7.5 | 2016-07-06 | The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for H… |