High severity7.5NVD Advisory· Published May 12, 2026· Updated May 14, 2026

CVE-2026-41284

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Affected products

Apache/Tomcatinferred
Range: >=11.0.0-M1,<=11.0.21; >=10.1.0-M1,<=10.1.54; >=9.0.0.M1,<=9.0.117

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/05/12/12nvdMailing ListThird Party Advisory
lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qcnvdMailing ListVendor Advisory

News mentions

⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
The Hacker News · May 11, 2026
Weaver E-cology critical bug exploited in attacks since March
BleepingComputer · May 4, 2026
Siemens SIMATIC
CISA Alerts

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000