Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 240 CRITICAL 16 HIGH 74 MEDIUM 133 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • オープンソース
  • Apache License v2.0

Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
21 Apache Tomcat 11.0 11.0.14 June 22, 2026 Feb. 23, 2023 10 15 9 1
22 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 10 21 10 2
23 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 16 54 30 2
24 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 12 46 26 2
25 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 6 21 22 0
26 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 10 35 59 6
27 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 4 16 63 5
28 Apache Tomcat 5.5 5.5.9 0 0 0 0
29 Apache Tomcat 5.0 5.0.9 0 0 0 0
30 Apache Tomcat 4.1 4.1.9 0 0 0 0
31 Apache Tomcat 4.0 4.0.6 0 0 0 0
32 Apache Tomcat 3.3 3.3.2 0 0 0 0
33 Apache Tomcat 3.2 3.2.4 0 0 0 0
34 Apache Tomcat 3.1 3.1.1 0 0 0 0
35 Apache Tomcat 3.0 3.0 0 0 0 0
36 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
21 5.3
-
MEDIUM
Network
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, fro… CWE-20
 Improper Input Validation 
CVE-2026-32990 cpe:2.3:a:apache:tomcat:*:* 9.0.113
10.1.50
11.0.15




9.0.116
10.1.53
11.0.20
2026-04-14 21:47
2026-04-10
Show GitHub Exploit DB Packet Storm
22 7.5
-
HIGH
Network
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from … CWE-209
CWE-642
Information Exposure Through an Error Message
 External Control of Critical State Data
CVE-2026-29146 cpe:2.3:a:apache:tomcat:*:* 7.0.100
8.5.38
9.0.13
10.0.0
11.0.0
7.0.109
8.5.100








9.0.116
10.1.53
11.0.20
2026-04-14 21:56
2026-04-10
Show GitHub Exploit DB Packet Storm
23 9.1
-
CRITICAL
Network
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0… CWE-287
Improper Authentication
CVE-2026-29145 cpe:2.3:a:apache:tomcat:10.1.0:milestone9
cpe:2.3:a:apache:tomcat:10.1.0:milestone8
cpe:2.3:a:apache:tomcat:10.1.…
9.0.83
10.1.1
11.0.0




9.0.116
10.1.53
11.0.20
2026-04-14 22:22
2026-04-10
Show GitHub Exploit DB Packet Storm
24 7.5
-
HIGH
Network
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.… CWE-327
 Use of a Broken or Risky Cryptographic Algorithm
CVE-2026-29129 cpe:2.3:a:apache:tomcat:*:* 9.0.114
10.1.51
11.0.16




9.0.116
10.1.53
11.0.20
2026-04-14 23:00
2026-04-10
Show GitHub Exploit DB Packet Storm
25 6.1
-
MEDIUM
Network
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fro… CWE-601
Open Redirect
CVE-2026-25854 cpe:2.3:a:apache:tomcat:9.0.0:milestone27
cpe:2.3:a:apache:tomcat:9.0.0:milestone26
cpe:2.3:a:apache:tomcat:9.0.0…
9.0.1
10.1.0
11.0.0




9.0.116
10.1.53
11.0.20
2026-04-14 23:01
2026-04-10
Show GitHub Exploit DB Packet Storm
26 7.5
-
HIGH
Network
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through … CWE-444
HTTP Request Smuggling
CVE-2026-24880 cpe:2.3:a:apache:tomcat:*:* 9.0.0
10.1.0
11.0.0




9.0.116
10.1.53
11.0.20
2026-04-15 05:02
2026-04-10
Show GitHub Exploit DB Packet Storm
27 -
-
- Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old… CWE-384
 Session Fixation
CVE-2025-55668 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
10.0.0
11.0.0
9.0.1




10.1.42
11.0.8
9.0.106
2025-08-19 03:44
2025-08-13
Show GitHub Exploit DB Packet Storm
28 -
-
- Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0… - CVE-2025-48989 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
10.0.0
11.0.0
9.0.1




10.1.44
11.0.10
9.0.108
2025-08-19 03:34
2025-08-13
Show GitHub Exploit DB Packet Storm
29 9.8
-
CRITICAL
Network
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to… CWE-116
 Improper Encoding or Escaping of Output
CVE-2025-31651 cpe:2.3:a:apache:tomcat:*:* 10.1.0
11.0.0
9.0.0




10.1.40
11.0.6
9.0.104
2025-05-6 23:15
2025-04-29
Show GitHub Exploit DB Packet Storm
30 7.5
-
HIGH
Network
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory … CWE-459
 Incomplete Cleanup
CVE-2025-31650 cpe:2.3:a:apache:tomcat:11.0.0:milestone9
cpe:2.3:a:apache:tomcat:11.0.0:milestone8
cpe:2.3:a:apache:tomcat:11.0.…
9.0.76
10.1.10
11.0.1




9.0.104
10.1.40
11.0.6
2025-05-6 23:15
2025-04-29
Show GitHub Exploit DB Packet Storm