The Apache Software Foundation released HTTP Server 2.4.67 on May 4, 2026, addressing 11 security vulnerabilities. The most severe is CVE-2026-23918 (CVSS 8.8), a double-free memory corruption flaw in Apache’s HTTP/2 implementation that can enable remote code execution. A separate moderate-severity issue, CVE-2026-24072, allows any user with write access to a .htaccess file to read files belonging to other accounts on the … Continue reading Apache 2.4.67 Patches 11 CVEs. One Is RCE. One Hits Shared Hosting.