Every CVE whose affected-product data names Apache Camel, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (58)
CVE-2026-33453 — CVSS 10.0 (critical): Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache…
CVE-2026-40453 — CVSS 9.9 (critical): The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as…
CVE-2026-43867 — CVSS 9.8 (critical): Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata…
CVE-2024-23114 — CVSS 9.8 (critical): Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe…
CVE-2016-8749 — CVSS 9.8 (critical): Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CVE-2017-12633 — CVSS 9.8 (critical): The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation…
CVE-2017-12634 — CVSS 9.8 (critical): The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation…
CVE-2017-3159 — CVSS 9.8 (critical): Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can…
CVE-2026-46455 — CVSS 9.8 (critical): Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper…
CVE-2015-5344 — CVSS 9.8 (critical): The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via…
CVE-2026-48204 — CVSS 9.8 (critical): Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The…
CVE-2020-11973 — CVSS 9.8 (critical): Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected…
CVE-2020-11972 — CVSS 9.8 (critical): Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected…
CVE-2026-40860 — CVSS 9.8 (critical): JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS…
CVE-2026-33454 — CVSS 9.4 (critical): The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component…
CVE-2026-48203 — CVSS 9.1 (critical): Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Input Validation, Server-Side…
CVE-2026-23552 — CVSS 9.1 (critical): Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy…
CVE-2026-48205 — CVSS 9.1 (critical): Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component. The camel-dns producers read DNS…
CVE-2026-40858 — CVSS 8.8 (high): The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache…
CVE-2026-27172 — CVSS 8.8 (high): The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner…
CVE-2026-40473 — CVSS 8.8 (high): The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without…
CVE-2026-25747 — CVSS 8.8 (high): Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class…
CVE-2026-40022 — CVSS 8.2 (high): When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a…
CVE-2015-5348 — CVSS 8.1 (high): Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a…
CVE-2026-43865 — CVSS 8.1 (high): Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component. The camel-hazelcast component creates and manages…
CVE-2026-40859 — CVSS 8.1 (high): Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying…
CVE-2026-42527 — CVSS 8.1 (high): Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel…
CVE-2026-40048 — CVSS 7.8 (high): The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using…
CVE-2024-22369 — CVSS 7.8 (high): Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4…
CVE-2019-0188 — CVSS 7.5 (high): Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable…
CVE-2014-0002 — CVSS 7.5 (high): The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have…
CVE-2014-0003 — CVSS 7.5 (high): The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to…
CVE-2019-0194 — CVSS 7.5 (high): Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x…
CVE-2020-11971 — CVSS 7.5 (high): Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should…
CVE-2026-43866 — CVSS 7.3 (high): Deserialization of Untrusted Data vulnerability in Apache Camel, Apache Camel JMS component. JmsBinding.extractBodyFromJms() in camel-jms -…
CVE-2013-4330 — CVSS 6.8 (medium): Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple…
CVE-2025-30177 — CVSS 6.5 (medium): Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel…
CVE-2026-49097 — CVSS 6.5 (medium): Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability…
CVE-2025-27636 — CVSS 5.6 (medium): Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through…
CVE-2025-66169 — CVSS 5.3 (medium): Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from…
CVE-2026-49099 — CVSS 5.3 (medium): Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through…
CVE-2018-8041 — CVSS 5.3 (medium): Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
CVE-2026-48206 — CVSS 5.3 (medium): Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel JIRA component. The camel-jira…
CVE-2026-49098 — CVSS 5.3 (medium): Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability…
CVE-2015-0263 — CVSS 5.0 (medium): XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and…
CVE-2015-0264 — CVSS 5.0 (medium): Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2…
CVE-2025-29891 — CVSS 4.8 (medium): Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from…
CVE-2023-34442 — CVSS 3.3 (low): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects…
CVE-2024-22371 — CVSS 2.9 (low): Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data…