CVE-2026-42535
9.1 CRITICALA path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV proper...
Published: 2026-06-08 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- CWE
- CWE-668
Affected products
| Vendor | Product |
|---|---|
| apache | http_server |
Description
A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-34905 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer (6.5 MEDIUM)
- CVE-2026-34031 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
- CVE-2026-33582 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
- CVE-2026-25699 — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer (6.1 MEDIUM)
- CVE-2026-25688 — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer (6.1 MEDIUM)
Same CWE
- CVE-2026-48096 — OpenFGA is an authorization/permission engine built for developers (5.0 MEDIUM)
- CVE-2025-15653 — Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unau... (6.8 MEDIUM)
- CVE-2026-46430 — Algernon is a small self-contained pure-Go web server (4.3 MEDIUM)
- CVE-2026-8958 — Information disclosure, sandbox escape in the Security: Process Sandboxing component (8.6 HIGH)
- CVE-2026-46723 — The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names