| CVE-2023-44487 |
high |
7.5 |
10.0 |
|
|
|
3y ago |
Important: nghttp2 security update |
| CVE-2025-31650 |
high |
— |
9.0 |
|
|
|
11mo ago |
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory … |
| CVE-2016-6816 |
high |
7.1 |
8.1 |
|
|
|
9y ago |
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could b… |
| CVE-2026-29129 |
high |
— |
8.0 |
|
|
|
2mo ago |
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.… |
| CVE-2026-24880 |
high |
— |
8.0 |
|
|
|
2mo ago |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through … |
| CVE-2025-53506 |
high |
— |
8.0 |
|
|
|
10mo ago |
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue … |
| CVE-2024-34750 |
high |
— |
8.0 |
|
|
|
2y ago |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP hea… |
| CVE-2024-24549 |
high |
— |
8.0 |
|
|
|
2y ago |
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for head… |
| CVE-2020-13934 |
high |
— |
8.0 |
|
|
|
4y ago |
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of … |
| CVE-2019-0199 |
high |
— |
8.0 |
|
|
|
6y ago |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without re… |
| CVE-2025-48989 |
high |
7.5 |
7.5 |
|
|
|
10mo ago |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0… |
| CVE-2026-32990 |
unknown |
— |
— |
|
|
|
2mo ago |
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, fro… |
| CVE-2026-24734 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verific… |
| CVE-2024-52317 |
unknown |
— |
— |
|
|
|
2y ago |
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between us… |
| CVE-2024-21733 |
unknown |
— |
— |
|
|
|
2y ago |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL vers… |
| CVE-2023-34981 |
unknown |
— |
— |
|
|
|
3y ago |
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for th… |
| CVE-2022-42252 |
unknown |
— |
— |
|
|
|
4y ago |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default f… |
| CVE-2020-13943 |
unknown |
— |
— |
|
|
|
4y ago |
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation o… |
