ACCORDING to The Apache Software Foundation, a security advisory for HertzBeat warns of a vulnerability that could allow attackers to overwhelm the system with malicious data queries. Tracked as CVE-2026-24343, the flaw is described as an XPath Injection leading to Uncontrolled Resource Consumption, potentially causing the HertzBeat collector to exhaust CPU or memory and degrade or crash the service.
The issue affects Apache HertzBeat (hertzbeat-collector) versions 1.7.1 through 1.7.9, with the range specified as “1.7.1 before 1.8.0”. The maintainers have addressed the flaw in version 1.8.0, and administrators are urged to upgrade to this release immediately to mitigate the risk of a denial-of-service condition. HertzBeat is an AI-powered real-time observability platform designed to unify metrics and logs, and the article notes the vulnerability arises from how it processes XML-like data.