Apache Zeppelin
22 CVEs affecting Apache Zeppelin. Latest disclosed: 2025-08-03. Critical: 3, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-31866 | Critical | 9.8 | 2024-04-09 | Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuratio… |
CVE-2024-31864 | Critical | 9.8 | 2024-04-09 | Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code… |
CVE-2019-10095 | Critical | 9.8 | 2021-09-02 | bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache… |
CVE-2018-1317 | High | 8.8 | 2019-04-23 | In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication. |
CVE-2017-12619 | High | 8.1 | 2019-04-23 | Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone". |
CVE-2024-41169 | High | 7.5 | 2025-07-12 | The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This is… |
CVE-2020-13929 | High | 7.5 | 2021-09-02 | Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affect… |
CVE-2024-31867 | Medium | 6.5 | 2024-04-09 | Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP s… |
CVE-2024-31865 | Medium | 6.5 | 2024-04-09 | Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook… |
CVE-2024-31860 | Medium | 6.5 | 2024-04-09 | Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the fi… |
CVE-2021-28655 | Medium | 6.5 | 2022-12-16 | The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue… |
CVE-2024-41177 | Medium | 6.1 | 2025-08-03 | Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are recommended to up… |
CVE-2024-31868 | Medium | 6.1 | 2024-04-09 | Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This… |
CVE-2021-27578 | Medium | 6.1 | 2021-09-02 | Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppeli… |
CVE-2018-1328 | Medium | 6.1 | 2019-04-23 | Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph". |
CVE-2021-28656 | Medium | 5.4 | 2024-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apach… |
CVE-2022-46870 | Medium | 5.4 | 2022-12-16 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbi… |
CVE-2024-51775 | Medium | 5.3 | 2025-08-03 | Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restri… |
CVE-2024-52279 | Medium | 5.3 | 2025-08-03 | Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issu… |
CVE-2024-31863 | Medium | 5.3 | 2024-04-09 | Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0… |