Every CVE whose affected-product data names Apache Cassandra, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (16)
CVE-2018-8016 — CVSS 9.8 (critical): The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces…
CVE-2021-44521 — CVSS 9.1 (critical): When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions…
CVE-2025-23015 — CVSS 8.8 (high): Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate…
CVE-2026-27314 — CVSS 8.8 (high): Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission…
CVE-2025-26467 — CVSS 8.8 (high): Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate…
CVE-2023-30601 — CVSS 7.8 (high): Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache…
CVE-2015-0225 — CVSS 7.5 (high): The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated…
CVE-2016-4970 — CVSS 7.5 (high): handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of…
CVE-2020-17516 — CVSS 7.5 (high): Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack'…
CVE-2026-32588 — CVSS 6.5 (medium): Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password…
CVE-2020-13946 — CVSS 5.9 (medium): In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access…
CVE-2019-2684 — CVSS 5.9 (medium): Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are…
CVE-2026-27315 — CVSS 5.5 (medium): Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously…
CVE-2025-24860 — CVSS 5.4 (medium): Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able…
CVE-2024-27137 — CVSS 5.3 (medium): In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate…