Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 240 CRITICAL 16 HIGH 74 MEDIUM 133 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース

Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
91 Apache Tomcat 11.0 11.0.14 June 22, 2026 Feb. 23, 2023 10 15 9 1
92 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 10 21 10 2
93 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 16 54 30 2
94 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 12 46 26 2
95 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 6 21 22 0
96 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 10 35 59 6
97 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 4 16 63 5
98 Apache Tomcat 5.5 5.5.9 0 0 0 0
99 Apache Tomcat 5.0 5.0.9 0 0 0 0
100 Apache Tomcat 4.1 4.1.9 0 0 0 0
101 Apache Tomcat 4.0 4.0.6 0 0 0 0
102 Apache Tomcat 3.3 3.3.2 0 0 0 0
103 Apache Tomcat 3.2 3.2.4 0 0 0 0
104 Apache Tomcat 3.1 3.1.1 0 0 0 0
105 Apache Tomcat 3.0 3.0 0 0 0 0
106 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
91 5.3
5.0
MEDIUM
Network
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.R… NVD-CWE-noinfo
CVE-2016-6794 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
6.0.0
7.0.0
8.0
8.5.0
6.0.45
7.0.70
8.0.36
8.5.4






2024-11-21 11:56
2017-08-11
Show GitHub Exploit DB Packet Storm
92 9.1
6.4
CRITICAL
Network
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomca… NVD-CWE-noinfo
CVE-2016-5018 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
6.0.0
7.0.0
8.0
8.5.0
6.0.45
7.0.70
8.0.36
8.5.4






2024-11-21 11:53
2017-08-11
Show GitHub Exploit DB Packet Storm
93 5.9
4.3
MEDIUM
Network
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplie… CWE-203
 Information Exposure Through Discrepancy
CVE-2016-0762 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
6.0.0
7.0.0
8.0
8.5.0
6.0.45
7.0.70
8.0.36
8.5.4






2024-11-21 11:42
2017-08-11
Show GitHub Exploit DB Packet Storm
94 7.5
5.0
HIGH
Network
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwa… CWE-755
 Improper Handling of Exceptional Conditions
CVE-2017-5664 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
2024-11-21 12:28
2017-06-6
Show GitHub Exploit DB Packet Storm
95 9.8
7.5
CRITICAL
Network
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, … NVD-CWE-noinfo
CVE-2017-5651 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
2024-11-21 12:28
2017-04-18
Show GitHub Exploit DB Packet Storm
96 7.5
5.0
HIGH
Network
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting f… CWE-404
 Improper Resource Shutdown or Release
CVE-2017-5650 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
2024-11-21 12:28
2017-04-18
Show GitHub Exploit DB Packet Storm
97 9.1
6.4
CRITICAL
Network
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use th… CWE-668
 Exposure of Resource to Wrong Sphere
CVE-2017-5648 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
2024-11-21 12:28
2017-04-18
Show GitHub Exploit DB Packet Storm
98 7.5
5.0
HIGH
Network
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in… CWE-200
Information Exposure
CVE-2017-5647 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
2024-11-21 12:28
2017-04-18
Show GitHub Exploit DB Packet Storm
99 9.8
7.5
CRITICAL
Network
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an att… NVD-CWE-noinfo
CVE-2016-8735 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…

7.0.0
8.0
8.5.0






6.0.48
7.0.73
8.0.39
8.5.7
2026-04-22 02:03
2017-04-7
Show GitHub Exploit DB Packet Storm
100 7.8
7.2
HIGH
Local
The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 L… CWE-264
Permissions, Privileges, and Access Controls
CVE-2016-9775 cpe:2.3:a:apache:tomcat:8.0:*
cpe:2.3:a:apache:tomcat:7.0:*
cpe:2.3:a:apache:tomcat:6.0:*
2024-11-21 12:01
2017-03-24
Show GitHub Exploit DB Packet Storm