CVE-2026-28780
published 2026-05-05CVE-2026-28780: Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | < 2.4.67 | 2.4.67 |
| apache | httpd | — | — |
| apache_software_foundation | apache_http_server | <= 2.4.66 | — |
| httpd_2.4 | httpd | — | — |
| ubuntu | apache2 | — | — |