Apache Solr
16 CVEs affecting Apache Solr. Latest disclosed: 2026-06-01. Critical: 1, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-12629 | Critical | 9.8 | 2017-10-14 | Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener com… |
CVE-2026-44825 | High | 8.1 | 2026-06-01 | Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote att… |
CVE-2023-44487 | High | 7.5 | 2023-10-10 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the w… |
CVE-2017-9803 | High | 7.5 | 2017-09-18 | Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another app… |
CVE-2017-3163 | High | 7.5 | 2017-08-30 | When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However… |
CVE-2017-7660 | High | 7.5 | 2017-07-07 | Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that… |
CVE-2015-8797 | Medium | 6.1 | 2016-02-15 | Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attack… |
CVE-2015-8796 | Medium | 6.1 | 2016-02-15 | Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject… |
CVE-2015-8795 | Medium | 6.1 | 2016-02-15 | Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via… |
CVE-2019-12409 | | 2019-11-18 | The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configura… | |
CVE-2019-12401 | | 2019-09-10 | Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler… | |
CVE-2014-3628 | | 2015-01-06 | Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web s… | |
CVE-2012-6612 | | 2013-12-07 | The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data… | |
CVE-2013-6408 | | 2013-12-07 | The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecif… | |
CVE-2013-6407 | | 2013-12-07 | The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity dec… | |
CVE-2013-6397 | | 2013-12-07 | Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pa… |