Every CVE whose affected-product data names Apache Httpclient, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (8)
CVE-2013-4366 — CVSS 9.8 (critical): http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null…
CVE-2025-27820 — CVSS 7.5 (high): A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification…
CVE-2026-40542 — CVSS 7.3 (high): Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256…
CVE-2014-3577 — CVSS 5.8 (medium): org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not…
CVE-2012-5783 — CVSS 5.8 (medium): Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that…
CVE-2020-13956 — CVSS 5.3 (medium): Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the…
CVE-2015-5262 — CVSS 4.3 (medium): http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout…
CVE-2011-1498 — CVSS 4.3 (medium): Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization…