Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-8m3p-yzr8-yyhj
Vulnerability ID VCID-8m3p-yzr8-yyhj
Aliases CVE-2024-41937
GHSA-w7cp-g8v7-r54m
PYSEC-2024-181
Summary Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
epss 0.00852 https://api.first.org/data/v1/epss?cve=CVE-2024-41937
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-w7cp-g8v7-r54m
cvssv3.1 6.1 https://github.com/apache/airflow/pull/40933
cvssv3.1 6.1 https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
cvssv3.1 6.1 http://www.openwall.com/lists/oss-security/2024/08/21/3
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-41937
https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98
https://github.com/apache/airflow/pull/40933
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml
https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
http://www.openwall.com/lists/oss-security/2024/08/21/3
CVE-2024-41937 https://nvd.nist.gov/vuln/detail/CVE-2024-41937
GHSA-w7cp-g8v7-r54m https://github.com/advisories/GHSA-w7cp-g8v7-r54m
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/apache/airflow/pull/40933
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2024/08/21/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.75225
EPSS Score 0.00852
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:34:55.191726+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2024-181.yaml 38.6.0