| CVE-2023-44487 |
high |
7.5 |
10.0 |
|
|
|
3y ago |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2025-31650 |
high |
— |
9.0 |
|
|
|
11mo ago |
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory … |
| CVE-2018-11784 |
high |
— |
9.0 |
|
|
|
8y ago |
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/f… |
| CVE-2025-46701 |
high |
— |
8.0 |
|
|
|
16d ago |
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to th… |
| CVE-2026-29129 |
high |
— |
8.0 |
|
|
|
2mo ago |
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.… |
| CVE-2026-24880 |
high |
— |
8.0 |
|
|
|
2mo ago |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through … |
| CVE-2025-31651 |
high |
— |
8.0 |
|
|
|
6mo ago |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to… |
| CVE-2025-53506 |
high |
— |
8.0 |
|
|
|
10mo ago |
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue … |
| CVE-2025-48988 |
high |
— |
8.0 |
|
|
|
10mo ago |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 th… |
| CVE-2025-49125 |
high |
— |
8.0 |
|
|
|
10mo ago |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possib… |
| CVE-2025-52520 |
high |
— |
8.0 |
|
|
|
10mo ago |
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0… |
| CVE-2024-56337 |
high |
— |
8.0 |
|
|
|
11mo ago |
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 throu… |
| CVE-2024-34750 |
high |
— |
8.0 |
|
|
|
2y ago |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP hea… |
| CVE-2024-24549 |
high |
— |
8.0 |
|
|
|
2y ago |
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for head… |
| CVE-2023-46589 |
high |
— |
8.0 |
|
|
|
2y ago |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not c… |
| CVE-2021-24122 |
high |
— |
8.0 |
|
|
|
5y ago |
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to … |
| CVE-2019-0199 |
high |
— |
8.0 |
|
|
|
6y ago |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without re… |
| CVE-2020-9484 |
high |
— |
8.0 |
|
|
|
6y ago |
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; … |
| CVE-2018-8037 |
high |
— |
8.0 |
|
|
|
8y ago |
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for… |
| CVE-2018-8034 |
high |
— |
8.0 |
|
|
|
8y ago |
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52… |
| CVE-2018-8014 |
high |
— |
8.0 |
|
|
|
8y ago |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all ori… |
| CVE-2026-43513 |
high |
7.5 |
7.5 |
|
|
|
23d ago |
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 … |
| CVE-2026-41284 |
high |
7.5 |
7.5 |
|
|
|
23d ago |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 t… |
| CVE-2025-55752 |
high |
7.5 |
7.5 |
|
|
|
6mo ago |
Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the po… |
| CVE-2025-48989 |
high |
7.5 |
7.5 |
|
|
|
10mo ago |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0… |
| CVE-2026-42498 |
high |
7.3 |
7.3 |
|
|
|
23d ago |
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1… |
