Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 240 CRITICAL 16 HIGH 74 MEDIUM 133 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース

Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
181 Apache Tomcat 11.0 11.0.14 June 22, 2026 Feb. 23, 2023 10 15 9 1
182 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 10 21 10 2
183 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 16 54 30 2
184 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 12 46 26 2
185 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 6 21 22 0
186 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 10 35 59 6
187 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 4 16 63 5
188 Apache Tomcat 5.5 5.5.9 0 0 0 0
189 Apache Tomcat 5.0 5.0.9 0 0 0 0
190 Apache Tomcat 4.1 4.1.9 0 0 0 0
191 Apache Tomcat 4.0 4.0.6 0 0 0 0
192 Apache Tomcat 3.3 3.3.2 0 0 0 0
193 Apache Tomcat 3.2 3.2.4 0 0 0 0
194 Apache Tomcat 3.1 3.1.1 0 0 0 0
195 Apache Tomcat 3.0 3.0 0 0 0 0
196 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
181 -
4.3
MEDIUM Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another req… CWE-264
Permissions, Privileges, and Access Controls
CVE-2008-3271 cpe:2.3:a:apache:tomcat:5.5.0:*
cpe:2.3:a:apache:tomcat:4.1.9:*
cpe:2.3:a:apache:tomcat:4.1.8:*
cpe:2.3:a:apac…
2026-04-23 09:35
2008-10-14
Show GitHub Exploit DB Packet Storm
182 -
4.3
MEDIUM Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbit… CWE-22
Path Traversal
CVE-2008-2938 cpe:2.3:a:apache:tomcat:*:* 4.0.0
5.0.0
6.0.0
4.1.37
5.5.26
6.0.16




2026-04-23 09:35
2008-08-13
Show GitHub Exploit DB Packet Storm
183 -
4.3
MEDIUM Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a cra… CWE-79
Cross-site Scripting
CVE-2008-1232 cpe:2.3:a:apache:tomcat:*:* 4.1.0
5.5.0
6.0.0
4.1.37
5.5.26
6.0.16




2026-04-23 09:35
2008-08-4
Show GitHub Exploit DB Packet Storm
184 -
5.0
MEDIUM Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which … CWE-22
Path Traversal
CVE-2008-2370 cpe:2.3:a:apache:tomcat:6.0.9:*
cpe:2.3:a:apache:tomcat:6.0.8:*
cpe:2.3:a:apache:tomcat:6.0.7:*
cpe:2.3:a:apac…
2026-04-23 09:35
2008-08-4
Show GitHub Exploit DB Packet Storm
185 -
4.3
MEDIUM Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the … CWE-79
Cross-site Scripting
CVE-2008-1947 cpe:2.3:a:apache:tomcat:6.0.9:*
cpe:2.3:a:apache:tomcat:6.0.8:*
cpe:2.3:a:apache:tomcat:6.0.7:*
cpe:2.3:a:apac…
2026-04-23 09:35
2008-06-5
Show GitHub Exploit DB Packet Storm
186 -
5.0
MEDIUM Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value,… CWE-200
Information Exposure
CVE-2007-5333 cpe:2.3:a:apache:tomcat:*:* 4.1.0
5.5.0
6.0.0
4.1.36
5.5.25
6.0.14




2026-04-23 09:35
2008-02-12
Show GitHub Exploit DB Packet Storm
187 -
4.3
MEDIUM Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigge… NVD-CWE-Other
CVE-2007-6286 cpe:2.3:a:apache:tomcat:6.0.9:*
cpe:2.3:a:apache:tomcat:6.0.8:*
cpe:2.3:a:apache:tomcat:6.0.7:*
cpe:2.3:a:apac…
2026-04-23 09:35
2008-02-12
Show GitHub Exploit DB Packet Storm
188 -
5.8
MEDIUM Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitiv… NVD-CWE-Other
CVE-2008-0002 cpe:2.3:a:apache:tomcat:6.0.9:*
cpe:2.3:a:apache:tomcat:6.0.8:*
cpe:2.3:a:apache:tomcat:6.0.7:*
cpe:2.3:a:apac…
2026-04-23 09:35
2008-02-12
Show GitHub Exploit DB Packet Storm
189 -
5.0
MEDIUM The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause t… CWE-16
Configuration
CVE-2008-0128 cpe:2.3:a:apache:tomcat:*:* 5.5.20 2026-04-23 09:35
2008-01-23
Show GitHub Exploit DB Packet Storm
190 -
6.4
MEDIUM The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attac… CWE-264
Permissions, Privileges, and Access Controls
CVE-2007-5342 cpe:2.3:a:apache:tomcat:6.0:*
cpe:2.3:a:apache:tomcat:6.0.9:*
cpe:2.3:a:apache:tomcat:6.0.8:*
cpe:2.3:a:apache…
2026-04-23 09:35
2007-12-28
Show GitHub Exploit DB Packet Storm