CVE Catalog

CVE-2026-28780

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.33%

68th percentile — higher than 68% of all known CVEs

Summary

Heap-based buffer overflow vulnerability in the mod_proxy_ajp module of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing a write of 4 attacker-controlled bytes beyond the heap buffer boundary. This affects Apache HTTP Server up to version 2.4.66.

Risk Assessment

An attacker can remotely crash the server or potentially execute arbitrary code, compromising confidentiality, integrity, and availability.

Recommendation

Upgrade Apache HTTP Server to version 2.4.67 immediately, which contains the fix for this vulnerability.

Original NVD description (English source)

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS