Out-of-bounds Write The advisory has been revoked - it doesn't affect any version of package jbcs-httpd24-httpd-libs  (opens in a new tab)


Threat Intelligence

EPSS
1.33% (68th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL7-JBCSHTTPD24HTTPDLIBS-16434413
  • published6 May 2026
  • disclosed5 May 2026

Introduced: 5 May 2026

CVE-2026-28780  (opens in a new tab)
CWE-787  (opens in a new tab)

Amendment

The Red Hat security team deemed this advisory irrelevant for RHEL:7.

NVD Description

Note: Versions mentioned in the description apply only to the upstream jbcs-httpd24-httpd-libs package and not the jbcs-httpd24-httpd-libs package as distributed by RHEL.

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.