Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 231 CRITICAL 12 HIGH 72 MEDIUM 130 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース
Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
1 Apache Tomcat 11.0 11.0.14 Nov. 10, 2025 Feb. 23, 2023 6 13 6 1
2 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 6 19 7 2
3 Apache Tomcat 10.0 10.0.27 Oct. 10, 2022 Dec. 8, 2020 1 15 4 1
4 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 12 52 27 2
5 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 9 44 23 2
6 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 4 20 20 0
7 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 7 34 56 6
8 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 2 15 60 5
9 Apache Tomcat 5.5 5.5.9 0 0 0 0
10 Apache Tomcat 5.0 5.0.9 0 0 0 0
11 Apache Tomcat 4.1 4.1.9 0 0 0 0
12 Apache Tomcat 4.0 4.0.6 0 0 0 0
13 Apache Tomcat 3.3 3.3.2 0 0 0 0
14 Apache Tomcat 3.2 3.2.4 0 0 0 0
15 Apache Tomcat 3.1 3.1.1 0 0 0 0
16 Apache Tomcat 3.0 3.0 0 0 0 0
17 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
1 9.1
- 		CRITICAL
Network 		Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,… CWE-285
Improper Authorization 		CVE-2026-43515 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0
10.1.0
11.0.0 		7.0.109
8.5.100





9.0.118
10.1.55
11.0.22 		2026-05-16 00:52
2026-05-13 		Show GitHub Exploit DB Packet Storm
2 3.7
- 		LOW
Network 		Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M… CWE-208
 Information Exposure Through Timing Discrepancy 		CVE-2026-43514 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0
10.1.0
11.0.0 		7.0.109
8.5.100





9.0.118
10.1.55
11.0.22 		2026-05-15 03:46
2026-05-13 		Show GitHub Exploit DB Packet Storm
3 7.5
- 		HIGH
Network 		Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 … CWE-178
 Improper Handling of Case Sensitivity 		CVE-2026-43513 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0
10.1.0
11.0.0 		7.0.109
8.5.100





9.0.118
10.1.55
11.0.22 		2026-05-16 00:53
2026-05-13 		Show GitHub Exploit DB Packet Storm
4 9.8
- 		CRITICAL
Network 		DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, fr… CWE-592
 DEPRECATED: Authentication Bypass Issues 		CVE-2026-43512 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0
10.1.0
11.0.0 		7.0.109
8.5.100





9.0.118
10.1.55
11.0.22 		2026-05-16 00:54
2026-05-13 		Show GitHub Exploit DB Packet Storm
5 7.3
- 		HIGH
Network 		Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1… CWE-200
Information Exposure 		CVE-2026-42498 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0
10.1.0
11.0.0 		7.0.109
8.5.100





9.0.118
10.1.55
11.0.22 		2026-05-15 03:51
2026-05-13 		Show GitHub Exploit DB Packet Storm
6 9.8
- 		CRITICAL
Network 		Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0… CWE-20
 Improper Input Validation  		CVE-2026-41293 cpe:2.3:a:apache:tomcat:*:* 8.5.0
9.0.0
10.0.0
10.1.0
11.0.0 		8.5.100

10.0.27




9.0.118

10.1.55
11.0.22 		2026-05-16 00:57
2026-05-13 		Show GitHub Exploit DB Packet Storm
7 7.5
- 		HIGH
Network 		Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 t… CWE-770
 Allocation of Resources Without Limits or Throttling 		CVE-2026-41284 cpe:2.3:a:apache:tomcat:*:* 4.0.0
8.5.0
9.0.0
10.0.0
10.1.0
11.0.0 		7.0.109
8.5.100

10.0.27






9.0.118

10.1.55
11.0.22 		2026-05-15 03:59
2026-05-13 		Show GitHub Exploit DB Packet Storm
8 6.5
- 		MEDIUM
Network 		CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20… CWE-287
Improper Authentication 		CVE-2026-34500 cpe:2.3:a:apache:tomcat:11.0.0:milestone26
cpe:2.3:a:apache:tomcat:11.0.0:milestone25
cpe:2.3:a:apache:tomcat:11.… 		9.0.92
10.1.22
11.0.1



9.0.117
10.1.54
11.0.21 		2026-04-14 21:43
2026-04-10 		Show GitHub Exploit DB Packet Storm
9 7.5
- 		HIGH
Network 		Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat… CWE-532
 Inclusion of Sensitive Information in Log Files 		CVE-2026-34487 cpe:2.3:a:apache:tomcat:*:* 9.0.13
10.1.0
11.0.0



9.0.117
10.1.54
11.0.21 		2026-04-14 21:44
2026-04-10 		Show GitHub Exploit DB Packet Storm
10 7.5
- 		HIGH
Network 		Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.5… CWE-311
Missing Encryption of Sensitive Data 		CVE-2026-34486 cpe:2.3:a:apache:tomcat:9.0.116:*
cpe:2.3:a:apache:tomcat:11.0.20:*
cpe:2.3:a:apache:tomcat:10.1.53:* 		2026-04-14 21:45
2026-04-10 		Show GitHub Exploit DB Packet Storm