Software Detail

Software Informaton Top

Web Server

Software Detail

Apache Tomcat

Number Of NVD

231

CRITICAL

HIGH

MEDIUM

130

LOW

URL	http://tomcat.apache.org/
Explanation	ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems.
Tag	Apache License v2.0 オープンソース

Add Information URL

No	Type	Name	URL
1			http://tomcat.apache.org/security.html
2			http://tomcat.apache.org/whichversion.html

List Of Product [ Click to show release history and vulnerability information ]

No	Name	Latest Version	Release date	Initial release	Normal Support	Critical	High	Medium	Low
191	Apache Tomcat 11.0	11.0.14	Nov. 10, 2025	Feb. 23, 2023		6	13	6	1
192	Apache Tomcat 10.1	10.1.49	Nov. 10, 2025	Sept. 26, 2022		6	19	7	2
193	Apache Tomcat 10.0	10.0.27	Oct. 10, 2022	Dec. 8, 2020		1	15	4	1
194	Apache Tomcat 9.0	9.0.118	May 10, 2026	Jan. 22, 2018		12	52	27	2
195	Apache Tomcat 8.5	8.5.100	March 25, 2024	June 13, 2016		9	44	23	2
196	Apache Tomcat 8	8.0.53	June 29, 2018	June 25, 2014	June 30, 2018	4	20	20	0
197	Apache Tomcat 7	7.0.109	April 22, 2021	June 29, 2010	March 31, 2021	7	34	56	6
198	Apache Tomcat 6	6.0.53	April 2, 2017	Dec. 1, 2006	Dec. 31, 2016	2	15	60	5
199	Apache Tomcat 5.5	5.5.9				0	0	0	0
200	Apache Tomcat 5.0	5.0.9				0	0	0	0
201	Apache Tomcat 4.1	4.1.9				0	0	0	0
202	Apache Tomcat 4.0	4.0.6				0	0	0	0
203	Apache Tomcat 3.3	3.3.2				0	0	0	0
204	Apache Tomcat 3.2	3.2.4				0	0	0	0
205	Apache Tomcat 3.1	3.1.1				0	0	0	0
206	Apache Tomcat 3.0	3.0				0	0	0	0
207	Apache Tomcat 1.1	1.1.3				0	0	0	0

NVD Vulnerability Information

CRITICAL
HIGH
MEDIUM
LOW

No	CVSS3 CVSS2	Level Attach Vector	Title	CWE	CVE	cpe23Uri	or higher	or less	less than	Update date Published date	Show Affected	Exploit PoC Search
191	- 4.3	MEDIUM	Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5…	NVD-CWE-Other	CVE-2007-1355	cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:apache:tomcat:6.0.7:* cpe:2.3:a:apac…				2026-04-23 09:35 2007-05-22	Show	GitHub Exploit DB Packet Storm

192	- 4.3	MEDIUM	Cross-site scripting (XSS) vulnerability in implicit-objects.jsp in Apache Tomcat 5.0.0 through 5.0.30 and 5.5.0 through 5.5.17 allows remote attackers to inject arbitrary web script or HTML via cert…	NVD-CWE-Other	CVE-2006-7195	cpe:2.3:a:apache:tomcat:5.5.9:* cpe:2.3:a:apache:tomcat:5.5.8:* cpe:2.3:a:apache:tomcat:5.5.7:* cpe:2.3:a:apac…				2026-04-23 09:35 2007-05-10	Show	GitHub Exploit DB Packet Storm

193	- 4.3	MEDIUM	Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote a…	CWE-79 Cross-site Scripting	CVE-2006-7196	cpe:2.3:a:apache:tomcat:5.5.9:* cpe:2.3:a:apache:tomcat:5.5.8:* cpe:2.3:a:apache:tomcat:5.5.7:* cpe:2.3:a:apac…		4.1.31		2026-04-23 09:35 2007-05-10	Show	GitHub Exploit DB Packet Storm

194	- 2.6	LOW	Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via cr…	CWE-79 Cross-site Scripting	CVE-2007-1358	cpe:2.3:a:apache:tomcat:4.1.0:* cpe:2.3:a:apache:tomcat:4.0.6:* cpe:2.3:a:apache:tomcat:4.0.5:* cpe:2.3:a:apac…		4.1.31		2026-04-23 09:35 2007-05-10	Show	GitHub Exploit DB Packet Storm

195	- 2.6	LOW	The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows…	NVD-CWE-Other	CVE-2007-1858	cpe:2.3:a:apache:tomcat:5.5.9:* cpe:2.3:a:apache:tomcat:5.5.8:* cpe:2.3:a:apache:tomcat:5.5.7:* cpe:2.3:a:apac…				2026-04-23 09:35 2007-05-10	Show	GitHub Exploit DB Packet Storm

196	- 7.8	HIGH	The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for chunks, which can cause a buffer over-read in the ajp_process_callback in mod_jk, which allows remote attackers to read portions…	NVD-CWE-Other	CVE-2006-7197	cpe:2.3:a:apache:tomcat:5.5.15:*				2026-04-23 09:35 2007-04-26	Show	GitHub Exploit DB Packet Storm

197	- 5.0	MEDIUM	Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers …	CWE-22 Path Traversal	CVE-2007-0450	cpe:2.3:a:apache:tomcat::	5.0.0 6.0.0		5.5.22 6.0.10	2026-04-23 09:35 2007-03-17	Show	GitHub Exploit DB Packet Storm

198	- 5.0	MEDIUM	Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.…	NVD-CWE-Other	CVE-2006-3835	cpe:2.3:a:apache:tomcat:5.5.9:* cpe:2.3:a:apache:tomcat:5.5.7:* cpe:2.3:a:apache:tomcat:5.5.16:* cpe:2.3:a:apa…				2023-11-7 10:59 2006-07-25	Show	GitHub Exploit DB Packet Storm

199	- 5.0	MEDIUM	Apache Tomcat 4.0.3, when running on Windows, allows remote attackers to obtain sensitive information via a request for a file that contains an MS-DOS device name such as lpt9, which leaks the pathna…	NVD-CWE-Other	CVE-2005-4703	cpe:2.3:a:apache:tomcat:4.0.3:*				2023-11-7 10:58 2005-12-31	Show	GitHub Exploit DB Packet Storm

200	- 7.8	HIGH	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain se…	CWE-200 Information Exposure	CVE-2005-4836	cpe:2.3:a:apache:tomcat:4.1.40:* cpe:2.3:a:apache:tomcat:4.1.39:* cpe:2.3:a:apache:tomcat:4.1.37:* cpe:2.3:a:a…				2023-11-7 10:58 2005-12-31	Show	GitHub Exploit DB Packet Storm