Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 240 CRITICAL 16 HIGH 74 MEDIUM 133 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • オープンソース
  • Apache License v2.0

Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
1 Apache Tomcat 11.0 11.0.14 June 22, 2026 Feb. 23, 2023 10 15 9 1
2 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 10 21 10 2
3 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 16 54 30 2
4 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 12 46 26 2
5 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 6 21 22 0
6 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 10 35 59 6
7 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 4 16 63 5
8 Apache Tomcat 5.5 5.5.9 0 0 0 0
9 Apache Tomcat 5.0 5.0.9 0 0 0 0
10 Apache Tomcat 4.1 4.1.9 0 0 0 0
11 Apache Tomcat 4.0 4.0.6 0 0 0 0
12 Apache Tomcat 3.3 3.3.2 0 0 0 0
13 Apache Tomcat 3.2 3.2.4 0 0 0 0
14 Apache Tomcat 3.1 3.1.1 0 0 0 0
15 Apache Tomcat 3.0 3.0 0 0 0 0
16 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
1 9.1
-
CRITICAL
Network
Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented. This issue affects Apache Tomcat:… Update CWE-1059
 Insufficient Technical Documentation
CVE-2026-59084 cpe:2.3:a:apache:tomcat:*:* 7.0.100
8.5.38
9.0.13
10.1.0
11.0.0
7.0.109
8.5.100
9.0.119
10.1.56
11.0.23








2026-07-15 01:57
2026-07-14
Show GitHub Exploit DB Packet Storm
2 9.1
-
CRITICAL
Network
Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects Apache Tomcat: from 11.… Update CWE-177
 Improper Handling of URL Encoding (Hex Encoding)
CVE-2026-59083 cpe:2.3:a:apache:tomcat:*:*
8.5.0
9.0.0
10.1.0
11.0.0
8.0.0
8.5.100
9.0.119
10.1.56
11.0.23








2026-07-15 01:57
2026-07-14
Show GitHub Exploit DB Packet Storm
3 7.3
-
HIGH
Network
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the corr… CWE-304
 Missing Critical Step in Authentication
CVE-2026-55957 cpe:2.3:a:apache:tomcat:*:*
10.1.0
11.0.0




9.0.101
10.1.37
11.0.5
2026-07-3 04:01
2026-06-30
Show GitHub Exploit DB Packet Storm
4 6.5
-
MEDIUM
Network
Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. Thi… CWE-285
Improper Authorization
CVE-2026-55956 cpe:2.3:a:apache:tomcat:*:*
10.1.0
11.0.0




9.0.119
10.1.56
11.0.23
2026-07-3 04:03
2026-06-30
Show GitHub Exploit DB Packet Storm
5 6.5
-
MEDIUM
Network
Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11… CWE-287
Improper Authentication
CVE-2026-55955 cpe:2.3:a:apache:tomcat:*:*
10.1.0
11.0.0




9.0.19
10.1.56
11.0.23
2026-07-3 04:04
2026-06-30
Show GitHub Exploit DB Packet Storm
6 9.1
-
CRITICAL
Network
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This… CWE-670
 Always-Incorrect Control Flow Implementation
CVE-2026-55276 cpe:2.3:a:apache:tomcat:*:*
10.1.0
11.0.0




9.0.119
10.1.56
11.0.23
2026-07-3 04:05
2026-06-30
Show GitHub Exploit DB Packet Storm
7 9.1
-
CRITICAL
Network
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.… CWE-390
 Detection of Error Condition Without Action
CVE-2026-53434 cpe:2.3:a:apache:tomcat:*:* 9.0.83
10.1.0
11.0.0




9.0.119
10.1.56
11.0.23
2026-07-3 04:06
2026-06-30
Show GitHub Exploit DB Packet Storm
8 7.3
-
HIGH
Network
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This … CWE-670
 Always-Incorrect Control Flow Implementation
CVE-2026-53404 cpe:2.3:a:apache:tomcat:*:* 8.5.0
9.0.0
10.1.0
11.0.0
8.5.100






9.0.119
10.1.56
11.0.23
2026-07-3 04:22
2026-06-30
Show GitHub Exploit DB Packet Storm
9 6.1
-
MEDIUM
Network
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11… CWE-80
Basic XSS
CVE-2026-50229 cpe:2.3:a:apache:tomcat:*:*
8.5.0
9.0.0
10.1.0
11.0.0
7.0.109
8.5.100








9.0.119
10.1.56
11.0.23
2026-07-3 04:24
2026-06-30
Show GitHub Exploit DB Packet Storm
10 9.1
-
CRITICAL
Network
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21,… CWE-285
Improper Authorization
CVE-2026-43515 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0
10.1.0
11.0.0
7.0.109
8.5.100








9.0.118
10.1.55
11.0.22
2026-05-16 00:52
2026-05-13
Show GitHub Exploit DB Packet Storm