CVE-2026-28780
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk68th percentile — higher than 68% of all known CVEs
Summary
Heap-based buffer overflow vulnerability in the mod_proxy_ajp module of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing a write of 4 attacker-controlled bytes beyond the heap buffer boundary. This affects Apache HTTP Server up to version 2.4.66.
Risk Assessment
An attacker can remotely crash the server or potentially execute arbitrary code, compromising confidentiality, integrity, and availability.
Recommendation
Upgrade Apache HTTP Server to version 2.4.67 immediately, which contains the fix for this vulnerability.
Original NVD description (English source)
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

