Apache

vulnerabilities 2026-06-03
HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare
A new HPACK-plus-flow-control DoS lets a home broadband connection hold 32GB of server memory in ~20 seconds. Affects the default HTTP/2 config of every major web server and proxy. NGINX and Apache have fixes; IIS, Envoy and Cloudflare Pingora do not yet.
http2 nginx apache envoy cloudflare iis denial-of-service hpack web-server infrastructure
vulnerabilities 2026-05-11
Apache CloudStack CVE-2026-25077: Malicious Template Lands Code Execution on KVM Hosts
Apache CloudStack 4.20.3.0 and 4.22.0.1 ship fixes for seven flaws — the headliner lets any account user execute arbitrary code on KVM hypervisor hosts via a malicious template name.
cloudstack kvm rce cve-2026-25077 cloud hypervisor apache
vulnerabilities 2026-05-05
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
apache httpd http2 cve-2026-23918 rce memory-corruption infrastructure

HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare