httpd-manual (AlmaLinux:8) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the AlmaLinux:8 package httpd-manual, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (52)
CVE-2021-39275 — CVSS 9.8 (critical): ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these…
CVE-2022-31813 — CVSS 9.8 (critical): Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header…
CVE-2023-25690 — CVSS 9.8 (critical): Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are…
CVE-2021-44790 — CVSS 9.8 (critical): A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The…
CVE-2024-38476 — CVSS 9.8 (critical): Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via…
CVE-2026-28780 — CVSS 9.8 (critical): Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this…
CVE-2022-22720 — CVSS 9.8 (critical): Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing…
CVE-2024-38474 — CVSS 9.8 (critical): Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories…
CVE-2022-23943 — CVSS 9.8 (critical): Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker…
CVE-2021-20325 — CVSS 9.8 (critical): Missing fixes for CVE-2021-40438 and CVE-2021-26691 in the versions of httpd, as shipped in Red Hat Enterprise Linux 8.5.0, causes a…
CVE-2021-26691 — CVSS 9.8 (critical): In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2022-22721 — CVSS 9.1 (critical): If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens…
CVE-2025-23048 — CVSS 9.1 (critical): In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible…
CVE-2022-28615 — CVSS 9.1 (critical): Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with…
CVE-2022-36760 — CVSS 9.0 (critical): Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an…
CVE-2025-58098 — CVSS 8.3 (high): Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query…
CVE-2021-44224 — CVSS 8.2 (high): A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for…
CVE-2024-38473 — CVSS 8.1 (high): Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend…
CVE-2025-49630 — CVSS 7.5 (high): In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered…
CVE-2021-33193 — CVSS 7.5 (high): A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache…
CVE-2021-34798 — CVSS 7.5 (high): Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-36160 — CVSS 7.5 (high): A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects…
CVE-2022-22719 — CVSS 7.5 (high): A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache…
CVE-2022-26377 — CVSS 7.5 (high): Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an…
CVE-2022-29404 — CVSS 7.5 (high): In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due…
CVE-2022-30522 — CVSS 7.5 (high): If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large…
CVE-2022-30556 — CVSS 7.5 (high): Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage…
CVE-2023-27522 — CVSS 7.5 (high): HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through…
CVE-2023-31122 — CVSS 7.5 (high): Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.
CVE-2024-27316 — CVSS 7.5 (high): HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a…
CVE-2024-38477 — CVSS 7.5 (high): null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious…
CVE-2024-39573 — CVSS 7.5 (high): Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly…
CVE-2024-47252 — CVSS 7.5 (high): Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to…
CVE-2006-20001 — CVSS 7.5 (high): A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the…
CVE-2025-53020 — CVSS 7.5 (high): Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up…
CVE-2025-55753 — CVSS 7.5 (high): An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations)…
CVE-2026-34059 — CVSS 7.5 (high): Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to…
CVE-2026-49975 — CVSS 7.5 (high): Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP…
CVE-2025-49812 — CVSS 7.4 (high): In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a…
CVE-2023-38709 — CVSS 7.3 (high): Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This…
CVE-2020-35452 — CVSS 7.3 (high): Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no…
CVE-2025-65082 — CVSS 6.5 (medium): Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the…
CVE-2023-45802 — CVSS 5.9 (medium): When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed…
CVE-2025-66200 — CVSS 5.4 (medium): mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader…
CVE-2022-37436 — CVSS 5.3 (medium): Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers…
CVE-2026-33007 — CVSS 5.3 (medium): A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash…
CVE-2026-34032 — CVSS 5.3 (medium): Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66…
CVE-2022-28614 — CVSS 5.3 (medium): The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect…
CVE-2026-33857 — CVSS 5.3 (medium): Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are…