Apache · Apache Http Server · CVE-2026-28780
**Name of the Vulnerable Software and Affected Versions**
Apache HTTP Server versions prior to 2.4.67
**Description**
A heap-based buffer overflow exists in the `mod proxy ajp` module. If `mod proxy ajp` connects to a malicious AJP server, that server can send a crafted AJP message causing the system to write four attacker-controlled bytes beyond the end of a heap-based buffer, leading to memory corruption.
**Recommendations**
Upgrade to version 2.4.67.