Maven package

org.apache.tomcat/tomcat

pkg:maven/org.apache.tomcat/tomcat

Vulnerabilities (148)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-34487	Hig	7.5	>= 9.0.13, < 9.0.117	9.0.117	Apr 9, 2026	Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 thr
CVE-2026-34486	Hig	7.5	>= 11.0.20, < 11.0.21	11.0.21	Apr 9, 2026	Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.
CVE-2026-34483	Hig	7.5	>= 9.0.40, < 9.0.116	9.0.116	Apr 9, 2026	Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version
CVE-2026-32990	Med	5.3	>= 9.0.113, < 9.0.116	9.0.116	Apr 9, 2026	Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,
CVE-2026-29146	Hig	7.5	>= 9.0.13, < 9.0.116	9.0.116	Apr 9, 2026	Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
CVE-2026-25854	Med	6.1	>= 8.5.30, < 9.0.116	9.0.116	Apr 9, 2026	Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through
CVE-2026-24733		—	>= 11.0.0-M1, < 11.0.15	11.0.15	Feb 17, 2026	Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending
CVE-2025-66614		—	>= 11.0.0-M1, < 11.0.15	11.0.15	Feb 17, 2026	Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through
CVE-2025-61795	Med	5.3	>= 11.0.0-M1, < 11.0.12	11.0.12	Oct 27, 2025	Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage co
CVE-2025-55754	Cri	9.6	>= 11.0.0-M1, < 11.0.11	11.0.11	Oct 27, 2025	Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was po
CVE-2025-55752	Hig	7.5	>= 11.0.0-M1, < 11.0.11	11.0.11	Oct 27, 2025	Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL,
CVE-2025-49124		—	>= 11.0.0-M1, < 11.0.8	11.0.8	Jun 16, 2025	Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.
CVE-2023-45648		—	>= 11.0.0-M1, < 11.0.0-M12	11.0.0-M12	Oct 10, 2023	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header
CVE-2023-42795		—	>= 9.0.0-M1, < 9.0.81	9.0.81	Oct 10, 2023	Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
CVE-2023-41080		—	>= 11.0.0-M1, < 11.0.0-M11	11.0.0-M11	Aug 25, 2023	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E
CVE-2021-43980		—	>= 8.5.0, < 8.5.78	8.5.78	Sep 28, 2022	The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and
CVE-2022-34305		—	>= 10.1.0-M1, < 10.1.0-M17	10.1.0-M17	Jun 23, 2022	In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
CVE-2022-25762		—	>= 8.5.0, < 8.5.75	8.5.75	May 13, 2022	If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The e
CVE-2022-29885		—	>= 10.1.0-M1, < 10.1.0-M15	10.1.0-M15	May 12, 2022	The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor
CVE-2022-23181		—	>= 10.0.0, < 10.0.16	10.0.16	Jan 27, 2022	The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tom

CVE-2026-34487HigApr 9, 2026
affected >= 9.0.13, < 9.0.117fixed 9.0.117
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 thr
CVE-2026-34486HigApr 9, 2026
affected >= 11.0.20, < 11.0.21fixed 11.0.21
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.
CVE-2026-34483HigApr 9, 2026
affected >= 9.0.40, < 9.0.116fixed 9.0.116
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version
CVE-2026-32990MedApr 9, 2026
affected >= 9.0.113, < 9.0.116fixed 9.0.116
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,
CVE-2026-29146HigApr 9, 2026
affected >= 9.0.13, < 9.0.116fixed 9.0.116
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
CVE-2026-25854MedApr 9, 2026
affected >= 8.5.30, < 9.0.116fixed 9.0.116
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through
CVE-2026-24733Feb 17, 2026
affected >= 11.0.0-M1, < 11.0.15fixed 11.0.15
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending
CVE-2025-66614Feb 17, 2026
affected >= 11.0.0-M1, < 11.0.15fixed 11.0.15
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through
CVE-2025-61795MedOct 27, 2025
affected >= 11.0.0-M1, < 11.0.12fixed 11.0.12
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage co
CVE-2025-55754CriOct 27, 2025
affected >= 11.0.0-M1, < 11.0.11fixed 11.0.11
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was po
CVE-2025-55752HigOct 27, 2025
affected >= 11.0.0-M1, < 11.0.11fixed 11.0.11
Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL,
CVE-2025-49124Jun 16, 2025
affected >= 11.0.0-M1, < 11.0.8fixed 11.0.8
Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.
CVE-2023-45648Oct 10, 2023
affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header
CVE-2023-42795Oct 10, 2023
affected >= 9.0.0-M1, < 9.0.81fixed 9.0.81
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
CVE-2023-41080Aug 25, 2023
affected >= 11.0.0-M1, < 11.0.0-M11fixed 11.0.0-M11
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E
CVE-2021-43980Sep 28, 2022
affected >= 8.5.0, < 8.5.78fixed 8.5.78
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and
CVE-2022-34305Jun 23, 2022
affected >= 10.1.0-M1, < 10.1.0-M17fixed 10.1.0-M17
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
CVE-2022-25762May 13, 2022
affected >= 8.5.0, < 8.5.75fixed 8.5.75
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The e
CVE-2022-29885May 12, 2022
affected >= 10.1.0-M1, < 10.1.0-M15fixed 10.1.0-M15
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor
CVE-2022-23181Jan 27, 2022
affected >= 10.0.0, < 10.0.16fixed 10.0.16
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tom

Page 1 of 8