{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24343", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-22T08:43:55.767Z", "datePublished": "2026-02-10T09:28:52.465Z", "dateUpdated": "2026-02-10T15:37:07.090Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "org.apache.hertzbeat:hertzbeat-collector", "product": "Apache HertzBeat", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.8.0", "status": "affected", "version": "1.7.1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.</p><p>This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.</p><p>Users are recommended to upgrade to version 1.8.0, which fixes the issue.</p>"}], "value": "Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.\n\nThis issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "Important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-643", "description": "CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-10T09:28:52.465Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/b2k3jqwffrbo2sy6bl4n0f68kp8bfo1n"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/09/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T10:22:47.854Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:36:26.476967Z", "id": "CVE-2026-24343", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:37:07.090Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/09/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T10:22:47.854Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24343", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-10T15:36:26.476967Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:35:31.613Z"}}], "cna": {"title": "Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions", "source": {"discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "Important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HertzBeat", "versions": [{"status": "affected", "version": "1.7.1", "lessThan": "1.8.0", "versionType": "semver"}], "packageName": "org.apache.hertzbeat:hertzbeat-collector", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/b2k3jqwffrbo2sy6bl4n0f68kp8bfo1n", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.\n\nThis issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.</p><p>This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.</p><p>Users are recommended to upgrade to version 1.8.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-643", "description": "CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-10T09:28:52.465Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24343", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:37:07.090Z", "dateReserved": "2026-01-22T08:43:55.767Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-02-10T09:28:52.465Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hertzbeat:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DA673CE-B995-46A5-9501-1F334CA4E71D", "versionEndExcluding": "1.8.0", "versionStartIncluding": "1.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.\n\nThis issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue."}], "id": "CVE-2026-24343", "lastModified": "2026-02-11T17:56:14.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-10T10:15:59.567", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/b2k3jqwffrbo2sy6bl4n0f68kp8bfo1n"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/09/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-643"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.7.1,1.8.0)"}}], "product": "hertzbeat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-17T20:51:29.926756+00:00", "value": {"mitigation_remediation": ["Upgrade Apache HertzBeat to version 1.8.0 or later where the XPath injection flaw is fixed.", "If an upgrade is not immediately feasible, validate and sanitize all user\u2011supplied XPath queries, restricting input length and complexity to limit resource usage.", "Apply rate limiting or CPU/memory quotas to the service handling XPath queries to mitigate potential denial\u2011of\u2011service attacks."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Apache HertzBeat by the Apache Software Foundation is affected. All releases starting at 1.7.1 up through, but excluding, 1.8.0 are vulnerable. Applications running those versions are susceptible to the exploit.", "description_and_impact": "The vulnerability is an XPath injection flaw that allows an attacker to submit crafted XPath expressions to Apache HertzBeat. The untrusted input is not properly neutralized, which can lead to uncontrolled consumption of system resources. An attacker could trigger excessive CPU or memory usage, potentially resulting in a denial\u2011of\u2011service condition for the application or its users.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. Apache HertzBeat does not appear in the CISA KEV catalog. The attack requires remote delivery of a malicious XPath expression, likely via exposed API endpoints or web interfaces that accept user input. If exploited, the resource exhaustion can degrade performance or crash the service, interrupting business operations."}}}}, "created": "2026-02-10T11:34:21.271981+00:00", "updated": "2026-04-17T21:00:12.706912+00:00", "vendors": ["apache", "apache$PRODUCT$hertzbeat"]}