| CVE-2023-44487 |
high |
7.5 |
10.0 |
|
|
|
3y ago |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2026-43512 |
critical |
9.8 |
9.8 |
|
|
|
22d ago |
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, fr… |
| CVE-2026-41293 |
critical |
9.8 |
9.8 |
|
|
|
22d ago |
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0… |
| CVE-2025-55754 |
critical |
9.6 |
9.6 |
|
|
|
16d ago |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Win… |
| CVE-2026-43515 |
critical |
9.1 |
9.1 |
|
|
|
22d ago |
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,… |
| CVE-2026-29129 |
high |
— |
8.0 |
|
|
|
2mo ago |
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.… |
| CVE-2026-24880 |
high |
— |
8.0 |
|
|
|
2mo ago |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through … |
| CVE-2019-0199 |
high |
— |
8.0 |
|
|
|
6y ago |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without re… |
| CVE-2020-9484 |
high |
— |
8.0 |
|
|
|
6y ago |
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; … |
| CVE-2026-43513 |
high |
7.5 |
7.5 |
|
|
|
22d ago |
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 … |
| CVE-2026-41284 |
high |
7.5 |
7.5 |
|
|
|
22d ago |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 t… |
| CVE-2025-55752 |
high |
7.5 |
7.5 |
|
|
|
6mo ago |
Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the po… |
| CVE-2025-48989 |
high |
7.5 |
7.5 |
|
|
|
10mo ago |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0… |
| CVE-2026-42498 |
high |
7.3 |
7.3 |
|
|
|
22d ago |
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1… |
| CVE-2025-61795 |
medium |
5.3 |
5.3 |
|
|
|
7mo ago |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded … |
| CVE-2026-43514 |
low |
3.7 |
3.7 |
|
|
|
22d ago |
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M… |
