announce

CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF

Fri, 05 Dec 2025 07:16:21 GMT

2025/12/05 -- Eric Covener

CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...

Fri, 05 Dec 2025 07:10:58 GMT

2025/12/05 -- Eric Covener

CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals

Fri, 05 Dec 2025 07:05:00 GMT

2025/12/05 -- Eric Covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.66 Released

Thu, 04 Dec 2025 14:09:20 GMT

2025/12/04 -- covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.65 Released

Wed, 23 Jul 2025 12:23:16 GMT

2025/07/23 -- covener

CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64

Wed, 23 Jul 2025 12:18:27 GMT

2025/07/23 -- Eric Covener

CVE-2024-47252: Apache HTTP Server: mod_ssl error log variable escaping

Fri, 11 Jul 2025 09:50:35 GMT

2025/07/11 -- Eric Covener

CVE-2024-43204: Apache HTTP Server: SSRF with mod_headers setting Content-Type header

Fri, 11 Jul 2025 09:47:48 GMT

2025/07/11 -- Eric Covener

CVE-2024-43394: Apache HTTP Server: SSRF on Windows due to UNC paths

Fri, 11 Jul 2025 09:43:28 GMT

2025/07/11 -- Eric Covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.64 Released

Thu, 10 Jul 2025 15:59:46 GMT

2025/07/10 -- covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.63 Released

Thu, 23 Jan 2025 21:01:27 GMT

2025/01/23 -- jim

CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType

Wed, 17 Jul 2024 18:32:28 GMT

2024/07/17 -- Eric Covener

CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows

Wed, 17 Jul 2024 18:29:01 GMT

2024/07/17 -- Eric Covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.61 Released

Wed, 03 Jul 2024 15:10:15 GMT

2024/07/03 -- covener

CVE-2024-36387: Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2

Mon, 01 Jul 2024 13:24:45 GMT

2024/07/01 -- Eric Covener

CVE-2024-38473: Apache HTTP Server proxy encoding problem

Mon, 01 Jul 2024 13:14:50 GMT

2024/07/01 -- Eric Covener

CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF

Mon, 01 Jul 2024 13:14:20 GMT

2024/07/01 -- Eric Covener

CVE-2024-38475: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.

Mon, 01 Jul 2024 13:08:06 GMT

2024/07/01 -- Eric Covener

CVE-2024-38474: Apache HTTP Server weakness with encoded question marks in backreferences

Mon, 01 Jul 2024 13:04:58 GMT

2024/07/01 -- Eric Covener

CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect

Mon, 01 Jul 2024 13:00:32 GMT

2024/07/01 -- Eric Covener

CVE-2024-38477: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request

Mon, 01 Jul 2024 12:57:37 GMT

2024/07/01 -- Eric Covener

CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy handler substitution

Mon, 01 Jul 2024 12:53:17 GMT

2024/07/01 -- Eric Covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.60 Released

Mon, 01 Jul 2024 12:50:49 GMT

2024/07/01 -- covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.59 Released

Thu, 04 Apr 2024 14:02:33 GMT

2024/04/04 -- covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.58 Released

Thu, 19 Oct 2023 09:37:01 GMT

2023/10/19 -- icing

[ANNOUNCEMENT] Apache HTTP Server 2.4.57 Released

Thu, 06 Apr 2023 17:42:46 GMT

2023/04/06 -- covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.56 Released

Thu, 09 Mar 2023 12:32:56 GMT

2023/03/09 -- covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.55 Released

Tue, 17 Jan 2023 17:18:11 GMT

2023/01/17 -- covener

[ANNOUNCEMENT] Apache HTTP Server 2.4.53 Released

Mon, 14 Mar 2022 10:01:13 GMT

2022/03/14 -- icing

[ANNOUNCEMENT] Apache HTTP Server 2.4.50 Released

Tue, 05 Oct 2021 08:46:06 GMT

2021/10/05 -- icing

[ANNOUNCEMENT] Apache HTTP Server 2.4.49 Released

Thu, 16 Sep 2021 10:18:07 GMT

2021/09/16 -- icing

CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request

Thu, 10 Jun 2021 09:29:44 GMT

2021/06/10 -- Christophe JAILLET

CVE-2021-26691: mod_session response handling heap overflow

Thu, 10 Jun 2021 09:22:11 GMT

2021/06/10 -- Christophe JAILLET

CVE-2021-30641: Unexpected URL matching with 'MergeSlashes OFF'

Thu, 10 Jun 2021 09:19:29 GMT

2021/06/10 -- Christophe JAILLET

CVE-2021-26690: mod_session NULL pointer dereference

Thu, 10 Jun 2021 09:15:57 GMT

2021/06/10 -- Christophe JAILLET

CVE-2020-35452: mod_auth_digest possible stack overflow by one nul byte

Thu, 10 Jun 2021 09:13:15 GMT

2021/06/10 -- Christophe JAILLET

CVE-2020-13950: mod_proxy_http NULL pointer dereference

Thu, 10 Jun 2021 09:06:25 GMT

2021/06/10 -- Christophe JAILLET

CVE-2020-13938: Improper Handling of Insufficient Privileges

Thu, 10 Jun 2021 09:01:12 GMT

2021/06/10 -- Christophe JAILLET

CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections

Thu, 10 Jun 2021 08:59:43 GMT

2021/06/10 -- Christophe JAILLET

[ANNOUNCEMENT] Apache HTTP Server 2.4.48 Released

Wed, 02 Jun 2021 04:19:43 GMT

2021/06/02 -- Christophe JAILLET

[ANNOUNCE] libapreq2-2.16 Released

Mon, 22 Mar 2021 15:50:18 GMT

2021/03/22 -- jorton

CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header

Fri, 07 Aug 2020 13:23:21 GMT

2020/08/07 -- Daniel Ruggeri

CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

Fri, 07 Aug 2020 13:23:21 GMT

2020/08/07 -- Daniel Ruggeri

CVE-2020-11985: CWE-345: Insufficient verification of data authenticity

Fri, 07 Aug 2020 13:20:20 GMT

2020/08/07 -- Daniel Ruggeri

CVE-2020-11984: mod_uwsgi buffer overlow

Fri, 07 Aug 2020 13:19:25 GMT

2020/08/07 -- Daniel Ruggeri

[ANNOUNCEMENT] Apache HTTP Server 2.4.46 Released

Fri, 07 Aug 2020 13:16:25 GMT

2020/08/07 -- Daniel Ruggeri

CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers

Thu, 15 Aug 2019 03:59:51 GMT

2019/08/15 -- Daniel Ruggeri

CVE-2019-10098: mod_rewrite configurations vulnerable to open redirect

Thu, 15 Aug 2019 03:58:20 GMT

2019/08/15 -- Daniel Ruggeri

CVE-2019-10097: mod_remoteip stack buffer overflow and NULL pointer dereference

Thu, 15 Aug 2019 03:57:50 GMT

2019/08/15 -- Daniel Ruggeri

CVE-2019-10092: Limited cross-site scripting in mod_proxy

Thu, 15 Aug 2019 03:57:49 GMT

2019/08/15 -- Daniel Ruggeri

CVE-2019-10082: mod_http2, read-after-free in h2 connection shutdown

Thu, 15 Aug 2019 03:56:37 GMT

2019/08/15 -- Daniel Ruggeri

CVE-2019-10081: mod_http2, memory corruption on early pushes

Thu, 15 Aug 2019 03:55:49 GMT

2019/08/15 -- Daniel Ruggeri

[ANNOUNCEMENT] Apache HTTP Server 2.4.41 Released

Thu, 15 Aug 2019 03:54:47 GMT

2019/08/15 -- Daniel Ruggeri

[ANNOUNCEMENT] Apache HTTP Server 2.4.39 Released

Tue, 02 Apr 2019 13:56:26 GMT

2019/04/02 -- Daniel Ruggeri

[ANNOUNCEMENT] Apache HTTP Server 2.4.38 Released

Tue, 22 Jan 2019 17:31:07 GMT

2019/01/22 -- Daniel Ruggeri

CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Tue, 22 Jan 2019 17:29:25 GMT

2019/01/22 -- Daniel Ruggeri

CVE-2018-17199: mod_session_cookie does not respect expiry time

Tue, 22 Jan 2019 17:28:34 GMT

2019/01/22 -- Daniel Ruggeri

CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies

Tue, 22 Jan 2019 17:27:42 GMT

2019/01/22 -- Daniel Ruggeri

[ANNOUNCEMENT] Apache HTTP Server 2.4.37 Released

Tue, 23 Oct 2018 13:12:01 GMT

2018/10/23 -- Daniel Ruggeri

CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

Tue, 25 Sep 2018 14:07:46 GMT

2018/09/25 -- Daniel Ruggeri

[ANNOUNCEMENT] Apache HTTP Server 2.4.35 Released

Tue, 25 Sep 2018 14:06:38 GMT

2018/09/25 -- Daniel Ruggeri

CVE-2018-8011: Apache HTTP Server mod_md DoS

Wed, 18 Jul 2018 15:01:29 GMT

2018/07/18 -- Mark Cox

CVE-2018-1333: Apache HTTP Server HTTP/2 DoS

Wed, 18 Jul 2018 14:59:57 GMT

2018/07/18 -- Mark Cox

[ANNOUNCEMENT] Apache HTTP Server 2.4.34 Released

Mon, 16 Jul 2018 16:06:36 GMT

2018/07/16 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server 2.4.33 Released

Mon, 26 Mar 2018 15:40:44 GMT

2018/03/26 -- Daniel Ruggeri

CVE-2018-1303: Possible out of bound read in mod_cache_socache

Mon, 26 Mar 2018 15:39:07 GMT

2018/03/26 -- Daniel Ruggeri

CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request

Mon, 26 Mar 2018 15:38:28 GMT

2018/03/26 -- Daniel Ruggeri

CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest

Mon, 26 Mar 2018 15:37:27 GMT

2018/03/26 -- Daniel Ruggeri

CVE-2018-1283: Tampering of mod_session data for CGI applications

Mon, 26 Mar 2018 15:36:07 GMT

2018/03/26 -- Daniel Ruggeri

CVE-2017-15715: bypass with a trailing newline in the file name

Mon, 26 Mar 2018 15:35:01 GMT

2018/03/26 -- Daniel Ruggeri

CVE-2018-1302: Possible write of after free on HTTP/2 stream shutdown

Mon, 26 Mar 2018 15:34:04 GMT

2018/03/26 -- Daniel Ruggeri

CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values

Mon, 26 Mar 2018 15:33:07 GMT

2018/03/26 -- Daniel Ruggeri

[ANNOUNCE] Apache HTTP Server 2.4.29 Released

Mon, 23 Oct 2017 16:58:25 GMT

2017/10/23 -- Jim Jagielski

[Announcement] Apache HTTP Server 2.4.28 Released

Thu, 05 Oct 2017 18:50:38 GMT

2017/10/05 -- William A Rowe Jr

CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

Thu, 13 Jul 2017 13:04:25 GMT

2017/07/13 -- William A Rowe Jr

CVE-2017-9789: Apache httpd 2.4 Read after free in mod_http2

Thu, 13 Jul 2017 13:02:38 GMT

2017/07/13 -- William A Rowe Jr

[Announcement] Apache HTTP Server 2.2.34 Released

Tue, 11 Jul 2017 19:13:49 GMT

2017/07/11 -- William A Rowe Jr

[ANNOUNCEMENT] Apache HTTP Server 2.4.27 Released

Tue, 11 Jul 2017 13:13:30 GMT

2017/07/11 -- Jim Jagielski

[SECURITY] CVE-2017-7679: mod_mime buffer overread

Mon, 19 Jun 2017 22:54:24 GMT

2017/06/19 -- Jacob Champion

[SECURITY] CVE-2017-7668: ap_find_token buffer overread

Mon, 19 Jun 2017 22:53:22 GMT

2017/06/19 -- Jacob Champion

[SECURITY] CVE-2017-7659: mod_http2 null pointer dereference

Mon, 19 Jun 2017 22:53:22 GMT

2017/06/19 -- Jacob Champion

[SECURITY] CVE-2017-3169: mod_ssl null pointer dereference

Mon, 19 Jun 2017 22:51:34 GMT

2017/06/19 -- Jacob Champion

[SECURITY] CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Mon, 19 Jun 2017 22:50:39 GMT

2017/06/19 -- Jacob Champion

[ANNOUNCE] Apache HTTP Server 2.4.26 Released

Mon, 19 Jun 2017 13:04:03 GMT

2017/06/19 -- Jim Jagielski

[ANNOUNCE] Apache HTTP Server 2.4.25 Released

Tue, 20 Dec 2016 20:25:06 GMT

2016/12/20 -- Jacob Champion

CVE-2016-8740, Server memory can be exhausted and service denied when HTTP/2 is used

Mon, 05 Dec 2016 17:32:08 GMT

2016/12/05 -- icing

CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]

Tue, 05 Jul 2016 15:02:38 GMT

2016/07/05 -- Dirk-Willem van Gulik

[ANNOUNCE] Apache HTTP Server 2.4.23 Released

Tue, 05 Jul 2016 13:09:14 GMT

2016/07/05 -- Jim Jagielski

[ANNOUNCE] Apache HTTP Server 2.4.20 Released

Mon, 11 Apr 2016 13:35:41 GMT

2016/04/11 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server 2.4.18 Released

Tue, 22 Dec 2015 21:05:57 GMT

2015/12/22 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server 2.4.18 Released

Mon, 14 Dec 2015 20:42:06 GMT

2015/12/14 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server 2.4.17 Released

Tue, 13 Oct 2015 18:18:34 GMT

2015/10/13 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server 2.4.16 Released

Thu, 16 Jul 2015 11:44:58 GMT

2015/07/16 -- Jim Jagielski

[Announce] Apache HTTP Server 2.2.29 Released

Wed, 03 Sep 2014 15:50:51 GMT

2014/09/03 -- William A. Rowe Jr.

[ANNOUNCEMENT] Apache HTTP Server 2.4.10 Released

Mon, 21 Jul 2014 15:09:28 GMT

2014/07/21 -- Jim Jagielski

[Announcment] Apache HTTP Server 2.2.27 Released

Wed, 26 Mar 2014 22:01:29 GMT

2014/03/26 -- William A. Rowe Jr.

ANNOUNCE: Apache HTTP Server 2.4.9 Released

Mon, 17 Mar 2014 20:20:31 GMT

2014/03/17 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server (httpd) 2.4.7 Released

Tue, 26 Nov 2013 19:36:02 GMT

2013/11/26 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server (httpd) 2.2.26 Released

Mon, 18 Nov 2013 18:44:19 GMT

2013/11/18 -- Jim Jagielski

[ANNOUNCEMENT] Apache HTTP Server (httpd) 2.4.6 Released

Mon, 22 Jul 2013 15:02:12 GMT

2013/07/22 -- Jim Jagielski