| CVE-2023-44487 |
high |
7.5 |
10.0 |
|
|
|
3y ago |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2017-5651 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, … |
| CVE-2025-31650 |
high |
— |
9.0 |
|
|
|
11mo ago |
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory … |
| CVE-2016-6816 |
high |
7.1 |
8.1 |
|
|
|
9y ago |
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could b… |
| CVE-2026-24880 |
high |
— |
8.0 |
|
|
|
2mo ago |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through … |
| CVE-2026-29129 |
high |
— |
8.0 |
|
|
|
2mo ago |
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.… |
| CVE-2025-53506 |
high |
— |
8.0 |
|
|
|
10mo ago |
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue … |
| CVE-2024-34750 |
high |
— |
8.0 |
|
|
|
2y ago |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP hea… |
| CVE-2024-24549 |
high |
— |
8.0 |
|
|
|
2y ago |
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for head… |
| CVE-2020-13934 |
high |
— |
8.0 |
|
|
|
4y ago |
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of … |
| CVE-2019-0199 |
high |
— |
8.0 |
|
|
|
6y ago |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without re… |
| CVE-2025-48989 |
high |
7.5 |
7.5 |
|
|
|
10mo ago |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0… |
| CVE-2023-42794 |
medium |
— |
5.5 |
|
|
|
2y ago |
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in pro… |
| CVE-2023-42795 |
medium |
— |
5.5 |
|
|
|
2y ago |
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0… |
| CVE-2023-28709 |
medium |
— |
5.5 |
|
|
|
3y ago |
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used suc… |
| CVE-2023-24998 |
medium |
— |
5.5 |
|
|
|
3y ago |
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploa… |
| CVE-2020-17527 |
medium |
— |
5.5 |
|
|
|
4y ago |
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream re… |
| CVE-2014-0095 |
medium |
— |
5.0 |
|
|
|
12y ago |
Denial of service in Apache Tomcat |
| CVE-2014-0075 |
medium |
— |
5.0 |
|
|
|
12y ago |
Integer Overflow or Wraparound in Apache Tomcat |
| CVE-2026-32990 |
unknown |
— |
— |
|
|
|
2mo ago |
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, fro… |
| CVE-2026-24734 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verific… |
| CVE-2024-52317 |
unknown |
— |
— |
|
|
|
2y ago |
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between us… |
| CVE-2024-21733 |
unknown |
— |
— |
|
|
|
2y ago |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL vers… |
| CVE-2023-34981 |
unknown |
— |
— |
|
|
|
3y ago |
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for th… |
| CVE-2022-42252 |
unknown |
— |
— |
|
|
|
4y ago |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default f… |
| CVE-2020-13943 |
unknown |
— |
— |
|
|
|
4y ago |
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation o… |
