Critical severity9.8NVD Advisory· Published May 12, 2026· Updated May 15, 2026
CVE-2026-41293
CVE-2026-41293
Description
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | < 9.0.118 | 9.0.118 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.55 | 10.1.55 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.22 | 11.0.22 |
org.apache.tomcat:tomcatMaven | < 9.0.118 | 9.0.118 |
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.55 | 10.1.55 |
org.apache.tomcat:tomcatMaven | >= 11.0.0-M1, < 11.0.22 | 11.0.22 |
org.apache.tomcat:tomcat-catalinaMaven | < 9.0.118 | 9.0.118 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.55 | 10.1.55 |
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M1, < 11.0.22 | 11.0.22 |
Affected products
40- osv-coords39 versionspkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-8.9pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/chainguard/camunda-zeebe-8.9pkg:apk/chainguard/kayenta-2025.4pkg:apk/chainguard/kayenta-2026.0pkg:apk/chainguard/kayenta-2026.1pkg:apk/chainguard/kayenta-fips-2025.4pkg:apk/chainguard/kayenta-fips-2026.0pkg:apk/chainguard/kayenta-fips-2026.1pkg:apk/chainguard/nacospkg:apk/chainguard/nacos-dockerpkg:apk/chainguard/ontoppkg:apk/chainguard/ontop-fipspkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:bitnami/tomcatpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 8.8.24-r2+ 38 more
- (no CPE)range: < 8.8.24-r2
- (no CPE)range: < 8.9.5-r2
- (no CPE)range: < 8.7.29-r1
- (no CPE)range: < 8.8.24-r1
- (no CPE)range: < 8.9.5-r2
- (no CPE)range: < 2025.4.3-r8
- (no CPE)range: < 2026.0.2-r8
- (no CPE)range: < 2026.1.0-r1
- (no CPE)range: < 2025.4.3-r9
- (no CPE)range: < 2026.0.2-r9
- (no CPE)range: < 2026.1.0-r1
- (no CPE)range: < 3.2.1-r3
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 5.5.0-r9
- (no CPE)range: < 5.5.0-r5
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: >= 10.0.0, < 10.1.55
- (no CPE)range: < 10.1.55-1.1
- (no CPE)range: < 11.0.22-1.1
- (no CPE)range: < 9.0.118-1.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-160000.1.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-160000.1.1
- (no CPE)range: < 11.0.22-150600.13.21.1
- (no CPE)range: < 11.0.22-150600.13.21.1
- (no CPE)range: < 11.0.22-160000.1.1
- (no CPE)range: < 11.0.22-150600.13.21.1
- (no CPE)range: < 11.0.22-160000.1.1
- (no CPE)range: < 9.0.118-160000.1.1
- (no CPE)range: < 9.0.118-160000.1.1
Patches
Vulnerability mechanics
References
16- www.openwall.com/lists/oss-security/2026/05/12/13nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-r29c-68gh-xp6xghsaADVISORY
- lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1rnvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41293ghsaADVISORY
- github.com/apache/tomcat/commit/19f17a257797e8d139b33ff9c88d362a273be148ghsaWEB
- github.com/apache/tomcat/commit/1c70480466572c9192ed412ebefcd43fc63137fdghsaWEB
- github.com/apache/tomcat/commit/2a2476460e823789f530a22207873ea8cd6eff3bghsaWEB
- github.com/apache/tomcat/commit/3915fd27e6810b14ccd21e3d900bd8faef44d3dfghsaWEB
- github.com/apache/tomcat/commit/57c2b3bfd62792631e1df24cf4237b990a0b36faghsaWEB
- github.com/apache/tomcat/commit/c2925554c677da57390f940d856871e18daaacabghsaWEB
- github.com/apache/tomcat/commit/cf9452443bcbf3b1a4b435ef7d624364f1b65ca3ghsaWEB
- github.com/apache/tomcat/commit/e5cef9618c3f4fd31bd6fb1e83f0f18022280dacghsaWEB
- github.com/apache/tomcat/commit/f72a6174ab1f0f5a053435f80448b4f6837fe6d7ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
2- ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and MoreThe Hacker News · Jun 22, 2026
- Atlassian, Splunk Patch Critical VulnerabilitiesSecurityWeek · Jun 18, 2026