Every CVE whose affected-product data names Apache Solr, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (47)
CVE-2024-45216 — CVSS 9.8 (critical): Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when…
CVE-2020-13957 — CVSS 9.8 (critical): Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for…
CVE-2019-0192 — CVSS 9.8 (critical): In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By…
CVE-2021-44548 — CVSS 9.8 (critical): An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting…
CVE-2019-12409 — CVSS 9.8 (critical): The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default…
CVE-2017-12629 — CVSS 9.8 (critical): Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config…
CVE-2021-27905 — CVSS 9.8 (critical): The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias)…
CVE-2021-29943 — CVSS 9.1 (critical): When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed…
CVE-2017-1000190 — CVSS 9.1 (critical): SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.
CVE-2020-13941 — CVSS 8.8 (high): Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler…
CVE-2023-50386 — CVSS 8.8 (high): Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from…
CVE-2020-9492 — CVSS 8.8 (high): In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to…
CVE-2026-22022 — CVSS 8.2 (high): Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing…
CVE-2024-45217 — CVSS 8.1 (high): Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy…
CVE-2026-44825 — CVSS 8.1 (high): Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0…
CVE-2012-6612 — CVSS 7.5 (high): The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified…
CVE-2017-3163 — CVSS 7.5 (high): When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts…
CVE-2017-3164 — CVSS 7.5 (high): Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding…
CVE-2017-7660 — CVSS 7.5 (high): Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially…
CVE-2017-9803 — CVSS 7.5 (high): Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an…
CVE-2018-1308 — CVSS 7.5 (high): This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the…
CVE-2019-12401 — CVSS 7.5 (high): Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via…
CVE-2021-29262 — CVSS 7.5 (high): When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and…
CVE-2021-33813 — CVSS 7.5 (high): An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CVE-2023-50291 — CVSS 7.5 (high): Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0…
CVE-2023-50292 — CVSS 7.5 (high): Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr…
CVE-2023-50298 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through…
CVE-2026-22444 — CVSS 7.1 (high): The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to…
CVE-2023-50290 — CVSS 6.5 (medium): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected…
CVE-2013-6408 — CVSS 6.4 (medium): The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers…
CVE-2013-6407 — CVSS 6.4 (medium): The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an…
CVE-2015-8796 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote…
CVE-2015-8795 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary…
CVE-2015-8797 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1…
CVE-2018-8010 — CVSS 5.5 (medium): This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files…
CVE-2025-24814 — CVSS 5.5 (medium): Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the…
CVE-2018-8026 — CVSS 5.5 (medium): This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files…
CVE-2024-52012 — CVSS 5.4 (medium): Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access…
CVE-2020-27223 — CVSS 5.2 (medium): In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple…
CVE-2018-11802 — CVSS 4.3 (medium): In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection…
CVE-2013-6397 — CVSS 4.3 (medium): Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a…
CVE-2014-3628 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to…
CVE-2009-3821 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject…
CVE-2021-28163 — CVSS 2.7 (low): In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a…