Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 231 CRITICAL 12 HIGH 72 MEDIUM 130 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース
Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
221 Apache Tomcat 11.0 11.0.14 Nov. 10, 2025 Feb. 23, 2023 6 13 6 1
222 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 6 19 7 2
223 Apache Tomcat 10.0 10.0.27 Oct. 10, 2022 Dec. 8, 2020 1 15 4 1
224 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 12 52 27 2
225 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 9 44 23 2
226 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 4 20 20 0
227 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 7 34 56 6
228 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 2 15 60 5
229 Apache Tomcat 5.5 5.5.9 0 0 0 0
230 Apache Tomcat 5.0 5.0.9 0 0 0 0
231 Apache Tomcat 4.1 4.1.9 0 0 0 0
232 Apache Tomcat 4.0 4.0.6 0 0 0 0
233 Apache Tomcat 3.3 3.3.2 0 0 0 0
234 Apache Tomcat 3.2 3.2.4 0 0 0 0
235 Apache Tomcat 3.1 3.1.1 0 0 0 0
236 Apache Tomcat 3.0 3.0 0 0 0 0
237 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
221 -
5.0 		MEDIUM The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null). NVD-CWE-Other
CVE-2002-0936 cpe:2.3:a:apache:tomcat:4.0.3:* 2023-11-7 10:55
2002-10-4 		Show GitHub Exploit DB Packet Storm
222 -
7.5 		HIGH Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions. CWE-254
 7PK - Security Features 		CVE-2002-0493 cpe:2.3:a:apache:tomcat:*:* 3.3.2 2023-11-7 10:55
2002-08-12 		Show GitHub Exploit DB Packet Storm
223 -
7.5 		HIGH Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script… NVD-CWE-Other
CVE-2002-0682 cpe:2.3:a:apache:tomcat:4.0.3:* 2023-11-7 10:55
2002-07-23 		Show GitHub Exploit DB Packet Storm
224 -
5.0 		MEDIUM Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp. NVD-CWE-Other
CVE-2000-1210 cpe:2.3:a:apache:tomcat:*:* 3.1 2016-10-18 11:09
2002-03-22 		Show GitHub Exploit DB Packet Storm
225 -
7.5 		HIGH Unknown vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linux 1.0 allows attackers to access servlet resources. NOTE: due to the vagueness of the vendor advisory, it is not clear whether t… NVD-CWE-Other
CVE-2001-1563 cpe:2.3:a:apache:tomcat:3.2.1:* 2017-07-11 10:29
2001-12-31 		Show GitHub Exploit DB Packet Storm
226 -
5.1 		MEDIUM A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error mes… NVD-CWE-Other
CVE-2001-0829 cpe:2.3:a:apache:tomcat:3.2.1:* 2008-09-11 04:09
2001-12-6 		Show GitHub Exploit DB Packet Storm
227 -
5.0 		MEDIUM Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension. NVD-CWE-Other
CVE-2001-0917 cpe:2.3:a:apache:tomcat:4.0.1:* 2023-11-7 10:55
2001-11-22 		Show GitHub Exploit DB Packet Storm
228 -
5.0 		MEDIUM Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol… NVD-CWE-Other
CVE-2001-0590 cpe:2.3:a:apache:tomcat:*:* 3.2.2 2017-10-10 10:29
2001-08-2 		Show GitHub Exploit DB Packet Storm
229 -
6.4 		MEDIUM Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path. NVD-CWE-Other
CVE-2000-0759 cpe:2.3:a:apache:tomcat:3.1:* 2023-11-7 10:55
2000-10-20 		Show GitHub Exploit DB Packet Storm
230 -
6.4 		MEDIUM The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension. NVD-CWE-Other
CVE-2000-0760 cpe:2.3:a:apache:tomcat:3.1:*
cpe:2.3:a:apache:tomcat:3.0:* 		2023-11-7 10:55
2000-10-20 		Show GitHub Exploit DB Packet Storm