Path Traversal Zero-Day in Apache HTTP Server Exploited (CVE-

Path Traversal Zero-Day in Apache HTTP Server Exploited (CVE-2021-41773)

On October 5, the Apache HTTP Server Project patched CVE-2021-41773, a path traversal and file disclosure vulnerability in Apache HTTP Server, an open-source web server for Unix and Windows that is among the most widely used web servers. According to the security advisory, CVE-2021-41773 has been exploited in the wild as a zero-day.

CVE-2021-41773 was introduced into Apache HTTP Server by a change made to path normalization in version 2.4.49, which was released on September 15. This vulnerability only impacts Apache HTTP Server version 2.4.49 with the “require all denied” access control configuration disabled.

For more information, please visit our blog.

Vulnerability Watch

Forum Discussion

Path Traversal Zero-Day in Apache HTTP Server Exploited (CVE-

Recent Discussions

Oracle January 2026 Critical Patch Update Addresses 158 CVEs

CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Vulnerability

Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)

CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild

CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited

Americas

Europe

Asia / Australia