Every CVE whose affected-product data names Apache Apisix, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (25)
CVE-2022-25757 — CVSS 9.8 (critical): In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By…
CVE-2026-49871 — CVSS 9.3 (critical): Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker…
CVE-2026-44087 — CVSS 9.1 (critical): Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an…
CVE-2026-31908 — CVSS 9.1 (critical): Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject…
CVE-2026-49230 — CVSS 9.1 (critical): Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is…
CVE-2026-39999 — CVSS 9.1 (critical): Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain…
CVE-2026-39998 — CVSS 8.8 (high): Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin…
CVE-2026-47339 — CVSS 8.1 (high): Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to…
CVE-2026-49872 — CVSS 8.1 (high): Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate…
CVE-2025-27446 — CVSS 7.8 (high): Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions…
CVE-2026-31923 — CVSS 7.5 (high): Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin…
CVE-2025-62232 — CVSS 7.5 (high): Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log…
CVE-2022-29266 — CVSS 7.5 (high): In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message…
CVE-2021-43557 — CVSS 7.5 (high): The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request…
CVE-2026-48895 — CVSS 7.2 (high): URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to…
CVE-2020-13945 — CVSS 6.5 (medium): In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is…
CVE-2026-47341 — CVSS 6.5 (medium): Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to…
CVE-2024-32638 — CVSS 6.3 (medium): Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth`…
CVE-2026-44915 — CVSS 6.1 (medium): URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX…
CVE-2026-44046 — CVSS 5.8 (medium): Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to…
CVE-2026-49231 — CVSS 5.4 (medium): Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on…
CVE-2026-31924 — CVSS 5.3 (medium): Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue…
CVE-2025-46647 — CVSS 5.3 (medium): A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions…