Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 231 CRITICAL 12 HIGH 72 MEDIUM 130 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース
Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
11 Apache Tomcat 11.0 11.0.14 Nov. 10, 2025 Feb. 23, 2023 6 13 6 1
12 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 6 19 7 2
13 Apache Tomcat 10.0 10.0.27 Oct. 10, 2022 Dec. 8, 2020 1 15 4 1
14 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 12 52 27 2
15 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 9 44 23 2
16 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 4 20 20 0
17 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 7 34 56 6
18 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 2 15 60 5
19 Apache Tomcat 5.5 5.5.9 0 0 0 0
20 Apache Tomcat 5.0 5.0.9 0 0 0 0
21 Apache Tomcat 4.1 4.1.9 0 0 0 0
22 Apache Tomcat 4.0 4.0.6 0 0 0 0
23 Apache Tomcat 3.3 3.3.2 0 0 0 0
24 Apache Tomcat 3.2 3.2.4 0 0 0 0
25 Apache Tomcat 3.1 3.1.1 0 0 0 0
26 Apache Tomcat 3.0 3.0 0 0 0 0
27 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
11 7.5
- 		HIGH
Network 		Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 1… CWE-116
 Improper Encoding or Escaping of Output 		CVE-2026-34483 cpe:2.3:a:apache:tomcat:*:* 9.0.40
10.1.0
11.0.0



9.0.117
10.1.54
11.0.21 		2026-04-14 21:46
2026-04-10 		Show GitHub Exploit DB Packet Storm
12 5.3
- 		MEDIUM
Network 		Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, fro… CWE-20
 Improper Input Validation  		CVE-2026-32990 cpe:2.3:a:apache:tomcat:*:* 9.0.113
10.1.50
11.0.15



9.0.116
10.1.53
11.0.20 		2026-04-14 21:47
2026-04-10 		Show GitHub Exploit DB Packet Storm
13 7.5
- 		HIGH
Network 		Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from … CWE-209
CWE-642
Information Exposure Through an Error Message
 External Control of Critical State Data 		CVE-2026-29146 cpe:2.3:a:apache:tomcat:*:* 7.0.100
8.5.38
9.0.13
10.0.0
11.0.0 		7.0.109
8.5.100





9.0.116
10.1.53
11.0.20 		2026-04-14 21:56
2026-04-10 		Show GitHub Exploit DB Packet Storm
14 9.1
- 		CRITICAL
Network 		CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0… CWE-287
Improper Authentication 		CVE-2026-29145 cpe:2.3:a:apache:tomcat:10.1.0:milestone9
cpe:2.3:a:apache:tomcat:10.1.0:milestone8
cpe:2.3:a:apache:tomcat:10.1.… 		9.0.83
10.1.1
11.0.0



9.0.116
10.1.53
11.0.20 		2026-04-14 22:22
2026-04-10 		Show GitHub Exploit DB Packet Storm
15 7.5
- 		HIGH
Network 		Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.… CWE-327
 Use of a Broken or Risky Cryptographic Algorithm 		CVE-2026-29129 cpe:2.3:a:apache:tomcat:*:* 9.0.114
10.1.51
11.0.16



9.0.116
10.1.53
11.0.20 		2026-04-14 23:00
2026-04-10 		Show GitHub Exploit DB Packet Storm
16 6.1
- 		MEDIUM
Network 		Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fro… CWE-601
Open Redirect 		CVE-2026-25854 cpe:2.3:a:apache:tomcat:9.0.0:milestone27
cpe:2.3:a:apache:tomcat:9.0.0:milestone26
cpe:2.3:a:apache:tomcat:9.0.0… 		9.0.1
10.1.0
11.0.0



9.0.116
10.1.53
11.0.20 		2026-04-14 23:01
2026-04-10 		Show GitHub Exploit DB Packet Storm
17 7.5
- 		HIGH
Network 		Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through … CWE-444
HTTP Request Smuggling 		CVE-2026-24880 cpe:2.3:a:apache:tomcat:*:* 9.0.0
10.1.0
11.0.0



9.0.116
10.1.53
11.0.20 		2026-04-15 05:02
2026-04-10 		Show GitHub Exploit DB Packet Storm
18 -
- 		- Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old… CWE-384
 Session Fixation 		CVE-2025-55668 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		10.0.0
11.0.0
9.0.1



10.1.42
11.0.8
9.0.106 		2025-08-19 03:44
2025-08-13 		Show GitHub Exploit DB Packet Storm
19 -
- 		- Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0… - CVE-2025-48989 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		10.0.0
11.0.0
9.0.1



10.1.44
11.0.10
9.0.108 		2025-08-19 03:34
2025-08-13 		Show GitHub Exploit DB Packet Storm
20 9.8
- 		CRITICAL
Network 		Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to… CWE-116
 Improper Encoding or Escaping of Output 		CVE-2025-31651 cpe:2.3:a:apache:tomcat:*:* 10.1.0
11.0.0
9.0.0



10.1.40
11.0.6
9.0.104 		2025-05-6 23:15
2025-04-29 		Show GitHub Exploit DB Packet Storm