VYPR

Tomcat

by Apache

Source repositories

CVEs (200)

  • CVE-2009-0783MedJun 5, 2009
    risk 0.27cvss 4.2epss 0.01

    Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web…

  • CVE-2026-53434lowJun 29, 2026
    risk 0.24cvss 3.7epss 0.00

    tomcat: Apache Tomcat: Error condition not handled when configuring CRLs

  • CVE-2017-7674MedAug 11, 2017
    risk 0.21cvss 4.3epss 0.08

    The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

  • CVE-2026-55276lowJun 29, 2026
    risk 0.15cvss 2.3epss 0.00

    tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow

  • CVE-2019-0232Apr 15, 2019
    risk 0.11cvss epss 1.00

    When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet…

  • CVE-2009-0580Jun 5, 2009
    risk 0.11cvss epss 0.94

    Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error…

  • CVE-2011-4858Jan 5, 2012
    risk 0.09cvss epss 0.80

    Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many…

  • CVE-2009-3548Nov 12, 2009
    risk 0.09cvss epss 0.79

    The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.

  • CVE-2008-1232Aug 4, 2008
    risk 0.09cvss epss 0.76

    Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the…

  • CVE-2007-2449Jun 14, 2007
    risk 0.09cvss epss 0.77

    Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary…

  • CVE-2006-7196May 10, 2007
    risk 0.09cvss epss 0.72

    Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to…

  • CVE-2007-5333Feb 12, 2008
    risk 0.08cvss epss 0.63

    Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to…

  • CVE-2007-3386Aug 14, 2007
    risk 0.08cvss epss 0.59

    Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.

  • CVE-2007-1355May 21, 2007
    risk 0.08cvss epss 0.58

    Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web…

  • CVE-2000-0760Oct 20, 2000
    risk 0.08cvss epss 0.63

    The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.

  • CVE-2010-1157Apr 23, 2010
    risk 0.07cvss epss 0.53

    Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the…

  • CVE-2008-2370Aug 4, 2008
    risk 0.07cvss epss 0.53

    Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read…

  • CVE-2003-0042Feb 7, 2003
    risk 0.07cvss epss 0.46

    Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

  • CVE-2007-3382Aug 14, 2007
    risk 0.06cvss epss 0.38

    Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session…

  • CVE-2006-3835Jul 25, 2006
    risk 0.06cvss epss 0.46

    Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.

Page 4 of 10