Apache Answer 2.0.1 Fixes XSS, Authorization Bypass, Token, DoS, and Email Injection Flaws
Apache disclosed five vulnerabilities in Apache Answer affecting versions through 2.0.0, including a critical cross-site scripting issue tracked as CVE-2026-25688. The XSS flaw stems from insufficient sanitization of AI-generated answer content, allowing malicious script execution when users view affected pages. Apache also fixed CVE-2026-25699, an authorization bypass in timeline-related APIs that let authenticated users access deleted, private, or unapproved content and related revision history, potentially exposing personal information, and CVE-2026-25700, which left previously issued administrative tokens valid after an administrator account was suspended, deleted, or deactivated.
The same release also addressed CVE-2026-33582, a denial-of-service bug in which a specially crafted TIFF upload could trigger excessive memory allocation and crash the server process, and CVE-2026-34033, which allowed authenticated users to inject arbitrary HTML into notification emails because script-related tags were not properly neutralized. Apache said all five issues are remediated in Apache Answer 2.0.1 and advised users to upgrade, with reports credited to Sho Odagiri, Reimar Fritz, and Andy Gill of ZephrSec Ltd.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Apache discloses CVE-2026-25700 admin token invalidation flaw
Apache disclosed an important-severity vulnerability affecting Apache Answer through version 2.0.0 in which previously issued admin tokens remained valid after an administrator was suspended, deleted, or deactivated. Apache recommended upgrading to version 2.0.1 to prevent continued administrative API access until token expiry.
Apache discloses CVE-2026-33582 TIFF upload DoS flaw
Apache disclosed an important-severity denial-of-service vulnerability in Apache Answer through version 2.0.0. A specially crafted TIFF upload could trigger excessive memory allocation and crash the server process, and Apache said version 2.0.1 fixes the issue.
Apache discloses CVE-2026-34033 HTML injection in notification emails
Apache disclosed an important-severity HTML content injection flaw affecting Apache Answer through version 2.0.0. The bug allowed authenticated users to inject arbitrary HTML into notification emails, and Apache recommended upgrading to version 2.0.1.
Apache discloses CVE-2026-25699 authorization bypass in Timeline API
Apache disclosed an important-severity authorization bypass in timeline-related APIs affecting Apache Answer through version 2.0.0. The issue could let authenticated users access deleted, private, or unapproved content and revision history, and Apache said version 2.0.1 remediates it.
Apache discloses CVE-2026-25688 XSS in AI Answer rendering
Apache disclosed a critical cross-site scripting vulnerability affecting Apache Answer through version 2.0.0. The flaw allowed malicious scripts to execute from insufficiently sanitized AI-generated response content, and Apache said version 2.0.1 fixes the issue.
GitLab releases fixes for CVE-2026-4922 GraphQL CSRF flaw
GitLab patched CVE-2026-4922 on April 22, 2026 in versions 18.9.6, 18.10.4, and 18.11.1. The company said GitLab.com and GitLab Dedicated were already patched, and credited researcher ahacker1 with reporting the issue through HackerOne.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Apache Answer Vulnerabilities and Security Flaws Fixed
securityonline.info
Open sourceoss-sec: CVE-2026-25700: Apache Answer: AdminToken not invalidated after admin deactivation
seclists.org
Open sourceoss-sec: CVE-2026-34033: Apache Answer: HTML Content Injection in Email
seclists.org
Open sourceoss-sec: CVE-2026-25688: Apache Answer: XSS in AI Answer Rendering
seclists.org
Open sourceoss-sec: CVE-2026-33582: Apache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory error
seclists.org
Open sourceoss-sec: CVE-2026-25699: Apache Answer: Authorization Bypass in Timeline API
seclists.org
Open sourceGitLab GraphQL CSRF Vulnerability CVE-2026-4922: Brief Summary of a High Severity Mutation Hijacking Flaw - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Syncope Patches XSS and XXE Flaws Enabling Session Hijacking and Data Leakage
The Apache Software Foundation released security updates for *Apache Syncope* to address vulnerabilities that could enable **session hijacking** and **sensitive data exposure** in identity-management deployments. One issue, **CVE-2026-23794**, is a **reflected XSS** flaw in the **Enduser Login** page where an attacker can trick a user into clicking a crafted link, leading to arbitrary JavaScript execution in the victim’s browser and potential theft of session cookies or actions performed as the user. A second issue, **CVE-2026-23795**, is an **XML External Entity (XXE)** vulnerability in the **Syncope Console** related to creating/editing **Keymaster parameters**; it requires an attacker to have (or obtain) administrator-level entitlements, but can then be used to submit malicious XML to trigger data leakage and potentially facilitate session compromise. Reported affected versions include **3.0–3.0.15** and **4.0–4.0.3**, with fixes available in **3.0.16** and **4.0.4**; organizations running impacted releases are advised to upgrade promptly, particularly given Syncope’s role in authentication and access control.
Mar 21, 2026
Apache HTTP Server fixes HTTP/2 double-free flaw with possible RCE
The Apache Software Foundation released **Apache HTTP Server 2.4.67** to fix five vulnerabilities, led by **`CVE-2026-23918`**, an important- to high-severity flaw in the HTTP/2 implementation. Apache said the bug is a **double free** triggered by an early reset that could lead to **remote code execution**, and that it affects **version 2.4.66**. The issue was reported in December 2025 and fixed shortly afterward, with public disclosure following on the `oss-sec` mailing list; Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl were credited with finding it. The 2.4.67 release also patches **`CVE-2026-24072`** in `mod_rewrite`, which can allow local `.htaccess` authors to read arbitrary files as the `httpd` user, along with lower-severity issues in `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. Apache and downstream reporting urged organizations running **2.4.66 or earlier** to upgrade immediately, while temporary mitigations for environments that cannot patch at once include disabling **HTTP/2**, removing `mod_dav_lock`, and reviewing `.htaccess` permissions.
May 8, 2026
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026