Apache HTTP Server ↗
Apache · Web / Runtime
35/100 High risk
Summary iPlain-English security verdict for Apache HTTP Server, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Apache HTTP Server currently scores 35/100 — high risk. 5 of its known vulnerabilities are being actively exploited in the wild (CISA KEV), including CVE-2021-40438. The latest supported release is 2.4.67. Upgrade soon — serious vulnerabilities are open and a fix usually exists.
Disclosure trend iNew CVEs published for Apache HTTP Server each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
'19
'20
'21
'22
'23
'24
'25
'26
⚠ 2 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2021-40438 CRITICAL ● exploited Server-side request forgery (SSRF) EPSS 94% → see advisory CVE-2021-42013 CRITICAL ● exploited ⚠ ransomware Path traversal EPSS 94% → see advisory CVE-2021-41773 CRITICAL ● exploited ⚠ ransomware Path traversal EPSS 94% → see advisory CVE-2024-38475 CRITICAL ● exploited CWE-116 EPSS 94% → fixed in 2.4.60 CVE-2019-0211 HIGH ● exploited Use-after-free EPSS 90% → see advisory CVE-2017-9798 HIGH Use-after-free EPSS 94% → see advisory CVE-2017-15715 HIGH Improper input validation EPSS 94% → see advisory CVE-2006-3918 MEDIUM Cross-site scripting (XSS) EPSS 91% → fixed in 1.3.35 CVE-2002-0661 HIGH EPSS 91% → see advisory CVE-1999-1053 HIGH EPSS 91% → see advisory CVE-2024-38472 HIGH Server-side request forgery (SSRF) EPSS 91% → fixed in 2.4.60 CVE-2004-0493 MEDIUM EPSS 90% → see advisoryVersions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each Apache HTTP Server release line is supported — and when it sunsets.
2.4 latest 2.4.67 Supported
2.2 latest 2.2.34 End of life ended 2017-07-11
2.0 latest 2.0.65 End of life ended 2013-07-10
1.3 latest 1.3.42 End of life ended 2010-02-03
See all upcoming end-of-life dates →