Analysis Summary

CVE-2025-26795 CVSS:6.5

Apache IoTDB could allow a remote authenticated attacker to obtain sensitive information, caused by the insertion of sensitive information into log file in the JDBC driver.

CVE-2025-26864 CVSS:6.5

Apache IoTDB could allow a remote authenticated attacker to obtain sensitive information, caused by the insertion of sensitive information into log file in the OpenIdAuthorizer feature.

CVE-2025-47436 CVSS:6

A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.

CVE-2025-46762 CVSS:9.8

Apache Parquet could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when reading an Avro schema from a Parquet file metadata.

CVE-2025-46392 CVSS:5.3

Apache Commons Configuration is vulnerable to a denial of service, caused by an error when loading untrusted configurations or using unexpected usage patterns. An attacker could exploit this vulnerability to allow excessive resource consumption.

Impact

• Buffer Overflow
• Information Disclosure
• Code Execution
• Denial of Service

Indicators of Compromise

CVE

• CVE-2025-26795

• CVE-2025-26864

• CVE-2025-47436

• CVE-2025-46762

• CVE-2025-46392

Affected Vendors

Remediation

Upgrade to the latest version of Apache, available from the Apache Security Advisory.

CVE-2025-26864

CVE-2025-26795

CVE-2025-47436

CVE-2025-46762

CVE-2025-46392