pkg:Alpine/apache2

All known vulnerabilities

• CRITICAL9.8CVE-2021-42013⚠ KEVPath Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
  from 0, < 2.4.51-r0
• CRITICAL9.8CVE-2021-41773⚠ KEVPath traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
  from 0, < 2.4.50-r0
• CRITICAL9.1CVE-2024-38475⚠ KEVApache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.
  from 0, < 2.4.60-r0
• CRITICAL9.0CVE-2021-40438⚠ KEVmod_proxy SSRF
  from 0, < 2.4.49-r0
• HIGH7.8CVE-2019-0211⚠ KEVApache HTTP Server Privilege Escalation Vulnerability
  from 0, < 2.4.39-r0
• CRITICAL9.8CVE-2026-28780Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
  from 0, < 2.4.67-r0
• CRITICAL9.8CVE-2024-38476Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
  from 0, < 2.4.60-r0
• CRITICAL9.8CVE-2024-38474Apache HTTP Server weakness with encoded question marks in backreferences
  from 0, < 2.4.60-r0
• CRITICAL9.8CVE-2023-25690Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy
  from 0, < 2.4.56-r0
• CRITICAL9.8CVE-2022-31813mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
  from 0, < 2.4.54-r0
• CRITICAL9.8CVE-2022-23943mod_sed: Read/write beyond bounds
  from 0, < 2.4.53-r0
• CRITICAL9.8CVE-2022-22720HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
  from 0, < 2.4.53-r0
• CRITICAL9.8CVE-2021-44790Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
  from 0, < 2.4.52-r0
• CRITICAL9.8CVE-2021-39275ap_escape_quotes buffer overflow
  from 0, < 2.4.49-r0
• CRITICAL9.8CVE-2021-26691Apache HTTP Server mod_session response handling heap overflow
  from 0, < 2.4.48-r0
• CRITICAL9.8CVE-2020-11984apache2 - security update
  from 0, < 2.4.46-r0
• CRITICAL9.8CVE-2018-1312In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not c…
  from 0, < 2.4.33-r0
• CRITICAL9.8CVE-2017-7679In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious C…
  from 0, < 2.4.26-r0
• CRITICAL9.8CVE-2017-3169In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_p…
  from 0, < 2.4.26-r0
• CRITICAL9.8CVE-2017-3167apache2 - security update
  from 0, < 2.4.26-r0
• CRITICAL9.1CVE-2025-23048Apache HTTP Server: mod_ssl access control bypass with session resumption
  from 0, < 2.4.64-r0
• CRITICAL9.1CVE-2022-28615Read beyond bounds in ap_strcmp_match()
  from 0, < 2.4.54-r0
• CRITICAL9.1CVE-2022-22721core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
  from 0, < 2.4.53-r0
• CRITICAL9.1CVE-2019-10082In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed…
  from 0, < 2.4.41-r0
• CRITICAL9.0CVE-2022-36760Apache HTTP Server: mod_proxy_ajp Possible request smuggling
  from 0, < 2.4.55-r0
• HIGH8.8CVE-2026-23918Apache HTTP Server: http2: double free and possible RCE on early reset
  from 0, < 2.4.67-r0
• HIGH8.8CVE-2026-24072Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr
  from 0, < 2.4.67-r0
• HIGH8.3CVE-2025-58098Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...
  from 0, < 2.4.66-r0
• HIGH8.2CVE-2021-44224Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
  from 0, < 2.4.52-r0
• HIGH8.1CVE-2024-38473Apache HTTP Server proxy encoding problem
  from 0, < 2.4.60-r0
• HIGH8.1CVE-2017-15715In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, r…
  from 0, < 2.4.33-r0
• HIGH8.1CVE-2016-5387apache2 - security update
  from 0, < 2.4.23-r1
• HIGH7.5CVE-2026-29169Apache HTTP Server: mod_dav_lock indirect lock crash
  from 0, < 2.4.67-r0
• HIGH7.5CVE-2026-34059Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()
  from 0, < 2.4.67-r0
• HIGH7.5CVE-2025-59775Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF
  from 0, < 2.4.66-r0
• HIGH7.5CVE-2025-55753Apache HTTP Server: mod_md (ACME), unintended retry intervals
  from 0, < 2.4.66-r0
• HIGH7.5CVE-2025-53020Apache HTTP Server: HTTP/2 DoS by Memory Increase
  from 0, < 2.4.64-r0
• HIGH7.5CVE-2025-49630Apache HTTP Server: mod_proxy_http2 denial of service
  from 0, < 2.4.64-r0
• HIGH7.5CVE-2024-47252Apache HTTP Server: mod_ssl error log variable escaping
  from 0, < 2.4.64-r0
• HIGH7.5CVE-2024-43394Apache HTTP Server: SSRF on Windows due to UNC paths
  from 0, < 2.4.64-r0
• HIGH7.5CVE-2024-43204Apache HTTP Server: SSRF with mod_headers setting Content-Type header
  from 0, < 2.4.64-r0
• HIGH7.5CVE-2024-42516Apache HTTP Server: HTTP response splitting
  from 0, < 2.4.64-r0
• HIGH7.5CVE-2024-40898Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows
  from 0, < 2.4.62-r0
• HIGH7.5CVE-2024-39573Apache HTTP Server: mod_rewrite proxy handler substitution
  from 0, < 2.4.60-r0
• HIGH7.5CVE-2024-38477Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
  from 0, < 2.4.60-r0
• HIGH7.5CVE-2024-38472SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or conte…
  from 0, < 2.4.60-r0
• HIGH7.5CVE-2024-27316Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
  from 0, < 2.4.59-r0
• HIGH7.5CVE-2023-43622Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
  from 0, < 2.4.58-r0
• HIGH7.5CVE-2023-31122Apache HTTP Server: mod_macro buffer over-read
  from 0, < 2.4.58-r0
• HIGH7.5CVE-2023-27522Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting
  from 0, < 2.4.56-r0
• HIGH7.5CVE-2006-20001apache2 - security update
  from 0, < 2.4.55-r0
• HIGH7.5CVE-2022-30556Information Disclosure in mod_lua with websockets
  from 0, < 2.4.54-r0
• HIGH7.5CVE-2022-30522mod_sed denial of service
  from 0, < 2.4.54-r0
• HIGH7.5CVE-2022-29404Denial of service in mod_lua r:parsebody
  from 0, < 2.4.54-r0
• HIGH7.5CVE-2022-26377mod_proxy_ajp: Possible request smuggling
  from 0, < 2.4.54-r0
• HIGH7.5CVE-2022-22719mod_lua Use of uninitialized value of in r:parsebody
  from 0, < 2.4.53-r0
• HIGH7.5CVE-2021-41524null pointer dereference in h2 fuzzing
  from 0, < 2.4.50-r0
• HIGH7.5CVE-2021-36160mod_proxy_uwsgi out of bound read
  from 0, < 2.4.49-r0
• HIGH7.5CVE-2021-34798NULL pointer dereference in httpd core
  from 0, < 2.4.49-r0
• HIGH7.5CVE-2021-33193Request splitting via HTTP/2 method injection and mod_proxy
  from 0, < 2.4.49-r0
• HIGH7.5CVE-2021-31618NULL pointer dereference on specially crafted HTTP/2 request
  from 0, < 2.4.48-r0
• HIGH7.5CVE-2021-26690mod_session NULL pointer dereference
  from 0, < 2.4.48-r0
• HIGH7.5CVE-2020-13950mod_proxy_http NULL pointer dereference
  from 0, < 2.4.48-r0
• HIGH7.5CVE-2020-9490Apache HTTP Server versions 2.4.20 to 2.4.43.
  from 0, < 2.4.46-r0
• HIGH7.5CVE-2020-11993Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, loggi…
  from 0, < 2.4.46-r0
• HIGH7.5CVE-2019-17657An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2, FortiAnalyzer below 6.2.3, FortiM…
  from 0, < 2.4.48-r0
• HIGH7.5CVE-2019-10081apache2 - security update
  from 0, < 2.4.41-r0
• HIGH7.5CVE-2019-9517Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service.
  from 0, < 2.4.41-r0
• HIGH7.5CVE-2019-0217apache2 - security update
  from 0, < 2.4.39-r0
• HIGH7.5CVE-2019-0215In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3…
  from 0, < 2.4.39-r0
• HIGH7.5CVE-2019-0190A bug exists in the way mod_ssl handled client renegotiations.
  from 0, < 2.4.38-r0
• HIGH7.5CVE-2018-17199apache2 - security update
  from 0, < 2.4.38-r0
• HIGH7.5CVE-2018-8011By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault.
  from 0, < 2.4.34-r0
• HIGH7.5CVE-2018-1333By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a deni…
  from 0, < 2.4.34-r0
• HIGH7.5CVE-2018-1303A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while…
  from 0, < 2.4.33-r0
• HIGH7.5CVE-2017-15710apache2 - security update
  from 0, < 2.4.33-r0
• HIGH7.5CVE-2017-9798apache2 - security update
  from 0, < 2.4.27-r1
• HIGH7.5CVE-2017-7659A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash…
  from 0, < 2.4.26-r0
• HIGH7.5CVE-2017-9789When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has bee…
  from 0, < 2.4.27-r0
• HIGH7.5CVE-2017-7668The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token(…
  from 0, < 2.4.26-r0
• HIGH7.4CVE-2025-49812Apache HTTP Server: mod_ssl TLS upgrade attack
  from 0, < 2.4.64-r0
• HIGH7.3CVE-2026-29168Apache HTTP Server: mod_md unrestricted OCSP response
  from 0, < 2.4.67-r0
• HIGH7.3CVE-2023-38709Apache HTTP Server: HTTP response splitting
  from 0, < 2.4.59-r0
• HIGH7.3CVE-2020-35452mod_auth_digest possible stack overflow by one nul byte
  from 0, < 2.4.48-r0
• HIGH7.2CVE-2019-10097In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol…
  from 0, < 2.4.41-r0
• MEDIUM6.5CVE-2026-33523Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line
  from 0, < 2.4.67-r0
• MEDIUM6.5CVE-2025-65082Apache HTTP Server: CGI environment variable override
  from 0, < 2.4.66-r0
• MEDIUM6.3CVE-2025-54090Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64
  from 0, < 2.4.65-r0
• MEDIUM6.3CVE-2024-24795Apache HTTP Server: HTTP Response Splitting in multiple modules
  from 0, < 2.4.59-r0
• MEDIUM6.2CVE-2024-39884Apache HTTP Server: source code disclosure with handlers configured via AddType
  from 0, < 2.4.61-r0
• MEDIUM6.1CVE-2020-1927apache2 - security update
  from 0, < 2.4.43-r0
• MEDIUM6.1CVE-2019-10092apache2 - security update
  from 0, < 2.4.41-r0
• MEDIUM6.1CVE-2019-10098In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by e…
  from 0, < 2.4.41-r0
• MEDIUM5.9CVE-2023-45802Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
  from 0, < 2.4.58-r0
• MEDIUM5.9CVE-2018-11763In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CP…
  from 0, < 2.4.35-r0
• MEDIUM5.9CVE-2018-1302When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer p…
  from 0, < 2.4.33-r0
• MEDIUM5.9CVE-2018-1301A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size l…
  from 0, < 2.4.33-r0
• MEDIUM5.5CVE-2020-13938Improper Handling of Insufficient Privileges
  from 0, < 2.4.48-r0
• MEDIUM5.4CVE-2025-66200Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo
  from 0, < 2.4.66-r0
• MEDIUM5.4CVE-2024-36387Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
  from 0, < 2.4.60-r0
• MEDIUM5.3CVE-2026-33007Apache HTTP Server: mod_authn_socache crash
  from 0, < 2.4.67-r0
• MEDIUM5.3CVE-2026-34032Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
  from 0, < 2.4.67-r0
• MEDIUM5.3CVE-2026-33857Apache HTTP Server: Off-by-one OOB reads in AJP getter functions
  from 0, < 2.4.67-r0
• MEDIUM5.3CVE-2024-40725Apache HTTP Server: source code disclosure with handlers configured via AddType
  from 0, < 2.4.62-r0
• MEDIUM5.3CVE-2022-37436Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
  from 0, < 2.4.55-r0
• MEDIUM5.3CVE-2022-28614read beyond bounds via ap_rwrite()
  from 0, < 2.4.54-r0
• MEDIUM5.3CVE-2022-28330read beyond bounds in mod_isapi
  from 0, < 2.4.54-r0
• MEDIUM5.3CVE-2021-30641Unexpected URL matching with 'MergeSlashes OFF'
  from 0, < 2.4.48-r0
• MEDIUM5.3CVE-2020-1934In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
  from 0, < 2.4.43-r0
• MEDIUM5.3CVE-2019-0196A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38.
  from 0, < 2.4.39-r0
• MEDIUM5.3CVE-2019-0220A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38.
  from 0, < 2.4.39-r0
• MEDIUM5.3CVE-2018-17189apache2 - security update
  from 0, < 2.4.38-r0
• MEDIUM5.3CVE-2018-1283In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the def…
  from 0, < 2.4.33-r0
• MEDIUM4.8CVE-2026-33006Apache HTTP Server: mod_auth_digest timing attack
  from 0, < 2.4.67-r0
• MEDIUM4.2CVE-2019-0197A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38.
  from 0, < 2.4.39-r0