| CVE-2026-43512 |
critical |
9.8 |
9.8 |
|
|
|
23d ago |
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, fr… |
| CVE-2026-41293 |
critical |
9.8 |
9.8 |
|
|
|
23d ago |
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0… |
| CVE-2017-5651 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, … |
| CVE-2025-55754 |
critical |
9.6 |
9.6 |
|
|
|
16d ago |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Win… |
| CVE-2026-43515 |
critical |
9.1 |
9.1 |
|
|
|
23d ago |
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,… |
| CVE-2017-5648 |
critical |
9.1 |
9.1 |
|
|
|
9y ago |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use th… |
| CVE-2026-43514 |
low |
3.7 |
3.7 |
|
|
|
23d ago |
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M… |
| CVE-2017-12617 |
unknown |
— |
2.5 |
|
|
|
4y ago |
When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the serv… |
| CVE-2017-12615 |
unknown |
— |
2.5 |
|
|
|
8y ago |
When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it conta… |
| CVE-2019-0221 |
unknown |
— |
1.0 |
|
|
|
7y ago |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by… |
| CVE-2019-0232 |
unknown |
— |
1.0 |
|
|
|
7y ago |
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a b… |
| CVE-2026-34487 |
unknown |
— |
— |
|
|
|
2mo ago |
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat… |
| CVE-2026-34483 |
unknown |
— |
— |
|
|
|
2mo ago |
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 1… |
| CVE-2026-25854 |
unknown |
— |
— |
|
|
|
2mo ago |
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fro… |
| CVE-2026-32990 |
unknown |
— |
— |
|
|
|
2mo ago |
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, fro… |
| CVE-2026-24733 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny… |
| CVE-2025-66614 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were… |
| CVE-2026-24734 |
unknown |
— |
— |
|
|
|
4mo ago |
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verific… |
| CVE-2025-49124 |
unknown |
— |
— |
|
|
|
1y ago |
Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects A… |
| CVE-2024-52317 |
unknown |
— |
— |
|
|
|
2y ago |
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between us… |
| CVE-2024-21733 |
unknown |
— |
— |
|
|
|
2y ago |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL vers… |
| CVE-2023-34981 |
unknown |
— |
— |
|
|
|
3y ago |
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for th… |
| CVE-2022-45143 |
unknown |
— |
— |
|
|
|
4y ago |
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use… |
| CVE-2022-42252 |
unknown |
— |
— |
|
|
|
4y ago |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default f… |
| CVE-2008-1947 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Tomcat Cross-site scripting (XSS) vulnerability |
| CVE-2021-25122 |
unknown |
— |
— |
|
|
|
5y ago |
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body… |
| CVE-2021-25329 |
unknown |
— |
— |
|
|
|
5y ago |
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikel… |
| CVE-2019-17569 |
unknown |
— |
— |
|
|
|
6y ago |
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were … |
| CVE-2019-12418 |
unknown |
— |
— |
|
|
|
7y ago |
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration f… |
| CVE-2019-17563 |
unknown |
— |
— |
|
|
|
7y ago |
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The wind… |
| CVE-2019-10072 |
unknown |
— |
— |
|
|
|
7y ago |
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDA… |
| CVE-2018-1336 |
unknown |
— |
— |
|
|
|
8y ago |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 t… |
| CVE-2018-1305 |
unknown |
— |
— |
|
|
|
8y ago |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. … |
| CVE-2018-1304 |
unknown |
— |
— |
|
|
|
8y ago |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 … |
