Spark

This hub aggregates every CVE we track for Spark, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Spark.

• CVE-2025-54920Apache Spark: Spark History Server Code Execution Vulnerability8.8Mar 14, 2026
• CVE-2026-1743DJI Mavic Mini/Air/Spark/Mini SE Enhanced Wi-Fi Pairing authentication replay3.1Feb 2, 2026
• CVE-2025-55039Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks6.5Oct 15, 2025
• CVE-2025-3518File upload functionality possible even when disabled4.3Apr 22, 2025
• CVE-2024-23945Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails5.9Dec 23, 2024
• CVE-2023-32007Apache Spark: Shell command injection via Spark UI8.8May 2, 2023
• CVE-2023-22946Apache Spark proxy-user privilege escalation from malicious configuration class6.4Apr 17, 2023
• CVE-2022-31777Apache Spark XSS vulnerability in log viewer UI Javascript5.4Nov 1, 2022
• CVE-2022-33891Apache Spark shell command injection vulnerability via Spark UIKEV8.8Jul 18, 2022
• CVE-2021-38296Apache Spark Key Negotiation Vulnerability7.5Mar 10, 2022
• CVE-2021-32054Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a vict...6.1May 14, 2021
• CVE-2020-27223In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) pa...5.2Feb 26, 2021
• CVE-2020-27218In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clien...4.8Nov 28, 2020
• CVE-2020-9480In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-cr...9.8Jun 23, 2020
• CVE-2020-12772An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP addr...8.8May 12, 2020