threat
engine
.sh
Back
·
··:··
Home
/
Product
/
apache camel
Product
apache camel
40 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-33453
>= 4.14.0 and <= 4.14.5
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component.
10.0
CRITICAL
CVE-2026-27172
>= 3.0.0 and < 4.14.6
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegis
8.8
HIGH
CVE-2026-40858
>= 4.0.0 and < 4.14.7
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan c
8.8
HIGH
CVE-2026-40022
>= 4.14.1 and < 4.14.6
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) a
8.2
HIGH
CVE-2026-33454
>= 3.0.0 and < 4.14.6
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component
9.4
CRITICAL
CVE-2026-40860
>= 3.0.0 and < 4.14.7
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incom
9.8
CRITICAL
CVE-2026-40473
>= 3.0.0 and < 4.14.6
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream w
8.8
HIGH
CVE-2026-40453
>= 3.0.0 and < 4.14.6
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelEx
9.9
CRITICAL
CVE-2026-40048
>= 4.18.0 and < 4.18.2
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of
<keyId>.key
files in the configured key directory
7.8
HIGH
CVE-2026-25747
>= 3.0.0 and < 4.10.9
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer cla
8.8
HIGH
CVE-2026-23552
>= 4.15.0 and < 4.18.0
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecur
9.1
CRITICAL
CVE-2025-66169
>= 4.10.0 and < 4.10.8
Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8,
5.3
MEDIUM
CVE-2025-30177
>= 4.8.0 and < 4.8.6
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache
6.5
MEDIUM
CVE-2025-29891
>= 3.10.0 and < 3.22.4
Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8
4.8
MEDIUM
CVE-2025-27636
>= 3.10.0 and < 3.22.4
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10
5.6
MEDIUM
CVE-2024-22371
>= 3.0.0 and < 3.21.4
Exposure of sensitive data by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensit
2.9
LOW
CVE-2024-23114
>= 3.0.0 and < 3.21.4
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to
9.8
CRITICAL
CVE-2024-22369
>= 3.0.0 and < 3.21.4
Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.
7.8
HIGH
CVE-2023-34442
>= 3.0.0 and < 3.14.9
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue aff
3.3
LOW
CVE-2020-11994
>= 2.22.0 and <= 2.22.5
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
7.5
HIGH
CVE-2020-11973
>= 2.22.0 and <= 2.25.0
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are aff
9.8
CRITICAL
CVE-2020-11972
>= 2.22.0 and <= 2.25.0
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are
9.8
CRITICAL
CVE-2020-11971
>= 2.22.0 and <= 3.1.0
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users
7.5
HIGH
CVE-2020-5529
all versions
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious
8.1
HIGH
CVE-2019-0188
< 2.24.0
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vuln
7.5
HIGH
CVE-2019-0194
>= 2.0.0 and <= 2.19.0
Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Cam
7.5
HIGH
CVE-2018-8041
>= 2.20.0 and <= 2.20.3
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
5.3
MEDIUM
CVE-2018-8027
>= 2.20.0 and <= 2.20.3
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
9.8
CRITICAL
CVE-2017-12634
>= 2.0.0 and < 2.19.4
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisatio
9.8
CRITICAL
CVE-2017-12633
>= 2.0.0 and < 2.19.4
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisati
9.8
CRITICAL
CVE-2016-8749
all versions
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
9.8
CRITICAL
CVE-2017-5643
<= 2.16.0
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
7.4
HIGH
CVE-2017-3159
<= 2.14.4
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted dat
9.8
CRITICAL
CVE-2015-5348
all versions
Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet
8.1
HIGH
CVE-2015-5344
<= 2.15.4
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary com
9.8
CRITICAL
CVE-2015-0264
<= 2.13.3
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x befor
CVE-2015-0263
<= 2.13.3
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13
CVE-2014-0003
<= 2.11.3
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attacke
CVE-2014-0002
<= 2.11.3
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and poss
CVE-2013-4330
<= 2.9.6
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary sim
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin