| CVE-2026-43512 |
critical |
9.8 |
9.8 |
|
|
|
23d ago |
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, fr… |
| CVE-2026-41293 |
critical |
9.8 |
9.8 |
|
|
|
23d ago |
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0… |
| CVE-2025-55754 |
critical |
9.6 |
9.6 |
|
|
|
16d ago |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Win… |
| CVE-2026-43515 |
critical |
9.1 |
9.1 |
|
|
|
23d ago |
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,… |
| CVE-2017-5648 |
critical |
9.1 |
9.1 |
|
|
|
9y ago |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use th… |
| CVE-2025-24813 |
medium |
— |
8.0 |
|
|
|
1y ago |
Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. |
| CVE-2024-50379 |
medium |
— |
5.5 |
|
|
|
11mo ago |
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (… |
| CVE-2023-28708 |
medium |
— |
5.5 |
|
|
|
3y ago |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to … |
| CVE-2025-61795 |
medium |
5.3 |
5.3 |
|
|
|
7mo ago |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded … |
| CVE-2012-5886 |
medium |
— |
5.0 |
|
|
|
14y ago |
Improper Authentication in Apache Tomcat |
| CVE-2014-0119 |
medium |
— |
4.3 |
|
|
|
12y ago |
Missing XML Validation in Apache Tomcat |
| CVE-2014-0096 |
medium |
— |
4.3 |
|
|
|
12y ago |
Improper Input Validation in Apache Tomcat |
| CVE-2017-12617 |
unknown |
— |
2.5 |
|
|
|
4y ago |
When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the serv… |
| CVE-2016-8735 |
unknown |
— |
1.5 |
|
|
|
4y ago |
Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This C… |
| CVE-2026-34483 |
unknown |
— |
— |
|
|
|
2mo ago |
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 1… |
| CVE-2026-34487 |
unknown |
— |
— |
|
|
|
2mo ago |
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat… |
| CVE-2026-25854 |
unknown |
— |
— |
|
|
|
2mo ago |
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fro… |
| CVE-2026-24733 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny… |
| CVE-2025-66614 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were… |
| CVE-2025-49124 |
unknown |
— |
— |
|
|
|
1y ago |
Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects A… |
| CVE-2024-52316 |
unknown |
— |
— |
|
|
|
2y ago |
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception dur… |
| CVE-2022-45143 |
unknown |
— |
— |
|
|
|
4y ago |
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use… |
