| CVE-2026-43514 |
low |
3.7 |
3.7 |
|
|
|
23d ago |
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M… |
| CVE-2010-1157 |
low |
— |
3.6 |
|
|
|
16y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
| CVE-2013-2071 |
low |
— |
2.6 |
|
|
|
13y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
| CVE-2024-54677 |
low |
— |
2.5 |
|
|
|
2y ago |
Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.… |
| CVE-2011-2204 |
low |
— |
1.9 |
|
|
|
15y ago |
Insertion of Sensitive Information into Log File in Apache Tomcat |
| CVE-2010-3718 |
low |
— |
1.2 |
|
|
|
16y ago |
Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat |
| CVE-2022-29885 |
unknown |
— |
1.0 |
|
|
|
4y ago |
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to r… |
| CVE-2009-0580 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Exposure of Sensitive Information in Apache Tomcat |
| CVE-2008-2938 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Directory Traversal vulnerability |
| CVE-2008-2370 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Path Traversal Vulnerability |
| CVE-2008-1232 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Cross-site scripting (XSS) vulnerability |
| CVE-2007-5461 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Path Traversal Vulnerability |
| CVE-2007-5333 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Exposure of Sensitive Information in Apache Tomcat |
| CVE-2007-3382 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat treats single quotes as delimiters in cookies |
| CVE-2007-2449 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat XSS Vulnerabilities in Examples Web Application |
| CVE-2007-0450 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Directory Traversal |
| CVE-2006-7196 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Cross-site scripting in Apache Tomcat |
| CVE-2006-3835 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Reveals Directories |
| CVE-2005-4703 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Discloses MS-DOS Pathname |
| CVE-2002-2272 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat DoS via Malicious Get Request |
| CVE-2002-2006 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Default Installation Reveals Sensitive Information |
| CVE-2002-1567 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat XSS Vulnerability |
| CVE-2002-1148 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Source Code Disclosure |
| CVE-2000-0759 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Jakarta Apache Tomcat Reveals Physical Paths |
| CVE-2003-0866 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Apache Tomcat Denial of Service vulnerability in the Catalina package |
| CVE-2003-0042 |
unknown |
— |
1.0 |
|
|
|
4y ago |
Jakarta Tomcat Directory Listing vulnerability |
| CVE-2026-34483 |
unknown |
— |
— |
|
|
|
2mo ago |
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 1… |
| CVE-2026-34487 |
unknown |
— |
— |
|
|
|
2mo ago |
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat… |
| CVE-2026-32990 |
unknown |
— |
— |
|
|
|
2mo ago |
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, fro… |
| CVE-2026-25854 |
unknown |
— |
— |
|
|
|
2mo ago |
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fro… |
| CVE-2026-29146 |
unknown |
— |
— |
|
|
|
2mo ago |
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from … |
| CVE-2025-66614 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were… |
| CVE-2026-24733 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny… |
| CVE-2025-49124 |
unknown |
— |
— |
|
|
|
1y ago |
Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects A… |
| CVE-2021-43980 |
unknown |
— |
— |
|
|
|
4y ago |
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in … |
| CVE-2022-34305 |
unknown |
— |
— |
|
|
|
4y ago |
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data with… |
| CVE-2012-5887 |
unknown |
— |
— |
|
|
|
4y ago |
Improper Authentication in Apache Tomcat |
| CVE-2008-5515 |
unknown |
— |
— |
|
|
|
4y ago |
Directory Traversal in Apache Tomcat |
| CVE-2016-8747 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request |
| CVE-2017-15706 |
unknown |
— |
— |
|
|
|
4y ago |
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorit… |
| CVE-2009-0783 |
unknown |
— |
— |
|
|
|
4y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
| CVE-2009-0781 |
unknown |
— |
— |
|
|
|
4y ago |
Cross-site scripting in Apache Tomcat |
| CVE-2009-0033 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Denial of Service via Malformed Request Headers |
| CVE-2008-4308 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat information disclosure vulnerability |
| CVE-2008-1947 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Cross-site scripting (XSS) vulnerability |
| CVE-2008-0002 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Sensitive Information Disclosure |
| CVE-2007-6286 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Does Not Properly Handle Empty Requests |
| CVE-2007-4724 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Example Application CSRF and XSS Vulnerabilities |
| CVE-2007-3384 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat's CookieExample Vulnerable to XSS |
| CVE-2007-3385 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Mishandles Character Sequence in Cookies |
| CVE-2007-3383 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat SendMailServlet XSS |
| CVE-2007-2450 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat vulnerable to Cross-site Scripting |
| CVE-2007-1358 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat XSS In Accept-Language Headers |
| CVE-2006-7195 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat XSS Vulnerability |
| CVE-2006-7197 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Buffer Over-Read |
| CVE-2005-4836 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat allows remote attackers to read JSP source files |
| CVE-2005-3510 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Vulnerable to Denial of Service (DoS) via Simultaneous Requests |
| CVE-2005-3164 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat AJP Connector Information Leak |
| CVE-2005-2090 |
unknown |
— |
— |
|
|
|
4y ago |
Tomcat Vulnerable to Web Cache Poisoning |
| CVE-2002-2008 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Leaks Information via Error Message |
| CVE-2002-2009 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Leaks Pathname Information via Error Message |
| CVE-2002-1394 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Source Code Disclosure |
| CVE-2002-0935 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat DoS Via Requests Including Null Characters |
| CVE-2002-0493 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat may be started without proper security settings |
| CVE-2001-0917 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Reveals Path through Long URL |
| CVE-2001-0829 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat allows webmasters to insert xss into error messages |
| CVE-2000-1210 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Directory Traversal |
| CVE-2003-0044 |
unknown |
— |
— |
|
|
|
4y ago |
Jakarta Tomcat cross-site scripting (XSS) vulnerability |
| CVE-2003-0043 |
unknown |
— |
— |
|
|
|
4y ago |
Tomcat uses trusted privileges when processing web.xml file |
| CVE-2003-0045 |
unknown |
— |
— |
|
|
|
4y ago |
Jakarta Tomcat Denial of Service vulnerability |
| CVE-2020-8022 |
unknown |
— |
— |
|
|
|
4y ago |
Incorrect Default Permissions in Apache Tomcat |
| CVE-2022-23181 |
unknown |
— |
— |
|
|
|
4y ago |
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed… |
| CVE-2021-41079 |
unknown |
— |
— |
|
|
|
5y ago |
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a spec… |
| CVE-2021-30640 |
unknown |
— |
— |
|
|
|
5y ago |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This… |
| CVE-2021-33037 |
unknown |
— |
— |
|
|
|
5y ago |
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request… |
| CVE-2021-30639 |
unknown |
— |
— |
|
|
|
5y ago |
A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the e… |
| CVE-2019-17569 |
unknown |
— |
— |
|
|
|
6y ago |
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were … |
