Org.apache.solr:solr-core

This hub aggregates every CVE we track for Org.apache.solr:solr-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Org.apache.solr:solr-core.

• CVE-2026-22022Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin8.2Jan 21, 2026
• CVE-2026-22444Apache Solr: Insufficient file-access checking in standalone core-creation requests7.1Jan 21, 2026
• CVE-2025-24814Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files5.5Jan 27, 2025
• CVE-2024-52012Apache Solr: Configset upload on Windows allows arbitrary path write-access5.4Jan 27, 2025
• CVE-2023-50291Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords7.5Feb 9, 2024
• CVE-2023-50292Apache Solr: Solr Schema Designer blindly "trusts" all configsets, possibly leading to RCE by unauthenticated users7.5Feb 9, 2024
• CVE-2023-50386Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets8.8Feb 9, 2024
• CVE-2023-50290Apache Solr: Host environment variables are published via the Metrics API6.5Jan 15, 2024
• CVE-2021-29262Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings7.5Apr 13, 2021
• CVE-2020-13957Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet th...9.8Oct 13, 2020
• CVE-2018-11802In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it doe...4.3Apr 1, 2020
• CVE-2019-17558Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `v...KEV7.5Dec 30, 2019
• CVE-2019-12409The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you u...9.8Nov 18, 2019
• CVE-2019-12401Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTI...7.5Sep 10, 2019
• CVE-2019-0193In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's ...KEV7.2Aug 1, 2019