Every CVE whose affected-product data names Apache Streampark, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (17)
CVE-2025-54947 — CVSS 9.8 (critical): In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This…
CVE-2022-45802 — CVSS 9.8 (critical): Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users…
CVE-2022-46365 — CVSS 9.1 (critical): Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the…
CVE-2024-29070 — CVSS 9.1 (critical): On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns…
CVE-2024-29178 — CVSS 8.8 (high): On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The…
CVE-2023-52290 — CVSS 8.1 (high): In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to…
CVE-2024-48988 — CVSS 7.6 (high): SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to…
CVE-2025-54981 — CVSS 7.5 (high): Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive…
CVE-2025-30001 — CVSS 7.3 (high): Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6…
CVE-2023-49898 — CVSS 7.2 (high): In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation…
CVE-2024-34457 — CVSS 6.5 (medium): On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view…
CVE-2024-29120 — CVSS 5.9 (medium): In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end…
CVE-2025-53960 — CVSS 5.9 (medium): When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256…
CVE-2022-45801 — CVSS 5.4 (medium): Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications…
CVE-2023-30867 — CVSS 4.9 (medium): In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as…
CVE-2023-52291 — CVSS 4.7 (medium): In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing…
CVE-2024-29737 — CVSS 4.7 (medium): In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing…