Apache CVEs & Vulnerabilities

281 CVEs affecting Apache products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

airflow 38tomcat 29http server 24activemq 21ofbiz 19camel 18cxf 17apisix 15
CVE-2025-53648MEDIUM

SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files. Users are recommended to upgrade to version 1.0.0, which fixes this issue.

30 Jun 2026
5.4
CVSS
CVE-2026-54475HIGH

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

30 Jun 2026
7.5
CVSS
CVE-2026-53917HIGH

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker. An authenticated user can cause a broker DoS by sending a crafted OpenWire Message with a large encoded size value for the map. OpenWire message property maps are unmarshaled without size validation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

30 Jun 2026
7.5
CVSS
CVE-2026-53916HIGH

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

30 Jun 2026
7.5
CVSS
CVE-2026-52760MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

30 Jun 2026
6.1
CVSS
CVE-2026-50750HIGH

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM. This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

30 Jun 2026
7.5
CVSS
CVE-2026-50734HIGH

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All. An unauthenticated network attacker can cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The value is not validate and causes the broker to attempt allocation during pre-auth negotiation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

30 Jun 2026
7.5
CVSS
CVE-2026-49877HIGH

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

30 Jun 2026
8.1
CVSS
CVE-2026-49434HIGH

Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. An attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used to fetch an attacker URL and spawn a second BrokerService inside the same JVM. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

30 Jun 2026
7.5
CVSS
CVE-2026-49432HIGH

Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

30 Jun 2026
7.5
CVSS
CVE-2026-55957HIGH

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

30 Jun 2026
7.3
CVSS
CVE-2026-55956MEDIUM

Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

30 Jun 2026
6.5
CVSS
CVE-2026-55955MEDIUM

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.

30 Jun 2026
6.5
CVSS
CVE-2026-55276CRITICAL

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

30 Jun 2026
9.1
CVSS
CVE-2026-53434CRITICAL

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.

30 Jun 2026
9.1
CVSS
CVE-2026-53404HIGH

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

30 Jun 2026
7.3
CVSS
CVE-2026-50229MEDIUM

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

30 Jun 2026
6.1
CVSS
CVE-2026-49486HIGH

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

26 Jun 2026
7.5
CVSS
CVE-2026-54665MEDIUM

Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application.

22 Jun 2026
5.3
CVSS
CVE-2026-44914HIGH

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.

22 Jun 2026
7.2
CVSS
CVE-2026-44913HIGH

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which incorporates more robust identifier escaping.

22 Jun 2026
7.2
CVSS
CVE-2026-44911MEDIUM

Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined verification methods with alternative settings. Apache NiFi installations that do not implement different levels of authorization for viewing and modifying component configuration are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, requiring write access to submit configuration verification requests.

22 Jun 2026
6.3
CVSS
CVE-2025-66336HIGH

Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope. Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue.

22 Jun 2026
8.1
CVSS
CVE-2025-62198MEDIUM

An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue.

22 Jun 2026
5.4
CVSS
CVE-2026-49872HIGH

Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
8.1
CVSS
CVE-2026-49871CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
9.3
CVSS
CVE-2026-49231MEDIUM

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
5.4
CVSS
CVE-2026-49230CRITICAL

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.  This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
9.1
CVSS
CVE-2026-48895HIGH

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
7.2
CVSS
CVE-2026-47341MEDIUM

Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
6.5
CVSS
CVE-2026-47339HIGH

Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
8.1
CVSS
CVE-2026-44915MEDIUM

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
6.1
CVSS
CVE-2026-44087CRITICAL

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
9.1
CVSS
CVE-2026-44046MEDIUM

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
5.8
CVSS
CVE-2026-39999CRITICAL

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue.

19 Jun 2026
9.1
CVSS
CVE-2026-39998HIGH

Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

19 Jun 2026
8.8
CVSS
CVE-2026-49268CRITICAL

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

17 Jun 2026
9.1
CVSS
CVE-2026-50203CRITICAL

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.

17 Jun 2026
9.1
CVSS
CVE-2026-47340MEDIUM

Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

17 Jun 2026
6.5
CVSS
CVE-2026-42357MEDIUM

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.

17 Jun 2026
6.5
CVSS
CVE-2026-41280MEDIUM

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.

17 Jun 2026
4.9
CVSS
CVE-2026-32967CRITICAL

Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

17 Jun 2026
9.1
CVSS
CVE-2026-32966CRITICAL

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

17 Jun 2026
9.8
CVSS
CVE-2026-50645HIGH

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message.

12 Jun 2026
7.5
CVSS
CVE-2026-50634MEDIUM

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

12 Jun 2026
6.5
CVSS
CVE-2026-50633HIGH

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

12 Jun 2026
8.1
CVSS
CVE-2026-50632HIGH

A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

12 Jun 2026
8.1
CVSS
CVE-2026-50631HIGH

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

12 Jun 2026
7.4
CVSS
← PrevPage 1 / 6Next →