Apache Maven - 5 CVEs (Page 1/1)

About “Apache Maven”

A curated feed of “Apache Maven”-related CVEs appears below. We currently track 5 CVEs for this tag (all time). In the last 365 days, 0 were published. Average CVSS is 8.1 (all time), and 80% are rated High/Critical (all time). Top CWEs (all time): CWE-91 - XML Injection (aka Blind XPath Injection), CWE-116 - Improper Encoding or Escaping of Output, CWE-346 - Origin Validation Error.

In our taxonomy this topic maps to a LOW impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: apache-maven

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL
3.9	2023-01-31	3.9.16	-
3.8	2021-03-30	3.8.9	2025-06-14 Expired
3.6	2018-10-24	3.6.3	2021-03-30 Expired
3.5	2017-04-03	3.5.4	2018-10-24 Expired
3.3	2015-03-13	3.3.9	2017-04-03 Expired
3.2	2014-02-14	3.2.5	2015-03-13 Expired
3.1	2013-06-28	3.1.1	2014-02-14 Expired
3.0	2010-10-04	3.0.5	2013-06-28 Expired
2	2006-05-07	2.2.1	2014-02-18 Expired
1	2004-07-13	1.1	2014-02-18 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS (expired) · ICS

Subscribe CVEs: RSS for “Apache Maven” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2023-08-21

High

CVE-2022-46751

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy pr…

CVSS: 8.2 CWE: CWE-91 - XML Injection (aka Blind XPath Injection) View on NVD

2022-05-23

Critical

CVE-2022-29599

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

CVSS: 9.8 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD

2021-04-23

Critical

CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over…

CVSS: 9.1 CWE: CWE-346 - Origin Validation Error View on NVD

2018-10-24

High

CVE-2018-11804

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to…

CVSS: 7.5 CWE: N/A View on NVD

2013-04-09

Medium

CVE-2013-0253

The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.

CVSS: 5.8 CWE: CWE-16 View on NVD