org.apache.solr:solr-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.solr:solr-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (30)
CVE-2017-12629 — CVSS 9.8 (critical): Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config…
CVE-2020-13957 — CVSS 9.8 (critical): Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for…
CVE-2019-12409 — CVSS 9.8 (critical): The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default…
CVE-2019-0192 — CVSS 9.8 (critical): In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By…
CVE-2023-50386 — CVSS 8.8 (high): Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from…
CVE-2026-22022 — CVSS 8.2 (high): Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing…
CVE-2012-6612 — CVSS 7.5 (high): The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified…
CVE-2017-3163 — CVSS 7.5 (high): When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts…
CVE-2017-3164 — CVSS 7.5 (high): Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding…
CVE-2017-7660 — CVSS 7.5 (high): Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially…
CVE-2017-9803 — CVSS 7.5 (high): Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an…
CVE-2018-1308 — CVSS 7.5 (high): This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the…
CVE-2019-12401 — CVSS 7.5 (high): Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via…
CVE-2021-29262 — CVSS 7.5 (high): When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and…
CVE-2023-50291 — CVSS 7.5 (high): Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0…
CVE-2023-50292 — CVSS 7.5 (high): Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr…
CVE-2026-22444 — CVSS 7.1 (high): The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to…
CVE-2023-50290 — CVSS 6.5 (medium): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected…
CVE-2013-6407 — CVSS 6.4 (medium): The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an…
CVE-2013-6408 — CVSS 6.4 (medium): The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers…
CVE-2015-8797 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1…
CVE-2015-8795 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary…
CVE-2018-8010 — CVSS 5.5 (medium): This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files…
CVE-2025-24814 — CVSS 5.5 (medium): Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the…
CVE-2018-8026 — CVSS 5.5 (medium): This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files…
CVE-2024-52012 — CVSS 5.4 (medium): Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access…
CVE-2013-6397 — CVSS 4.3 (medium): Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a…
CVE-2018-11802 — CVSS 4.3 (medium): In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection…