| Apache Tomcat | Number Of NVD | 240 | CRITICAL | 16 | HIGH | 74 | MEDIUM | 133 | LOW | 15 |
| URL | http://tomcat.apache.org/ | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | http://tomcat.apache.org/security.html | ||
| 2 | http://tomcat.apache.org/whichversion.html |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 21 | Apache Tomcat 11.0 | 11.0.14 | June 22, 2026 | Feb. 23, 2023 | 10 | 15 | 9 | 1 | |||
| 22 | Apache Tomcat 10.1 | 10.1.49 | Nov. 10, 2025 | Sept. 26, 2022 | 10 | 21 | 10 | 2 | |||
| 23 | Apache Tomcat 9.0 | 9.0.118 | May 10, 2026 | Jan. 22, 2018 | 16 | 54 | 30 | 2 | |||
| 24 | Apache Tomcat 8.5 | 8.5.100 | March 25, 2024 | June 13, 2016 | 12 | 46 | 26 | 2 | |||
| 25 | Apache Tomcat 8 | 8.0.53 | June 29, 2018 | June 25, 2014 | June 30, 2018 | 6 | 21 | 22 | 0 | ||
| 26 | Apache Tomcat 7 | 7.0.109 | April 22, 2021 | June 29, 2010 | March 31, 2021 | 10 | 35 | 59 | 6 | ||
| 27 | Apache Tomcat 6 | 6.0.53 | April 2, 2017 | Dec. 1, 2006 | Dec. 31, 2016 | 4 | 16 | 63 | 5 | ||
| 28 | Apache Tomcat 5.5 | 5.5.9 | 0 | 0 | 0 | 0 | |||||
| 29 | Apache Tomcat 5.0 | 5.0.9 | 0 | 0 | 0 | 0 | |||||
| 30 | Apache Tomcat 4.1 | 4.1.9 | 0 | 0 | 0 | 0 | |||||
| 31 | Apache Tomcat 4.0 | 4.0.6 | 0 | 0 | 0 | 0 | |||||
| 32 | Apache Tomcat 3.3 | 3.3.2 | 0 | 0 | 0 | 0 | |||||
| 33 | Apache Tomcat 3.2 | 3.2.4 | 0 | 0 | 0 | 0 | |||||
| 34 | Apache Tomcat 3.1 | 3.1.1 | 0 | 0 | 0 | 0 | |||||
| 35 | Apache Tomcat 3.0 | 3.0 | 0 | 0 | 0 | 0 | |||||
| 36 | Apache Tomcat 1.1 | 1.1.3 | 0 | 0 | 0 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 21 |
5.3 - |
MEDIUM
Network |
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, fro… |
CWE-20
Improper Input Validation |
CVE-2026-32990 | cpe:2.3:a:apache:tomcat:*:* |
9.0.113 10.1.50 11.0.15 |
|
|
9.0.116 10.1.53 11.0.20 |
2026-04-14 21:47 2026-04-10 |
Show | GitHub Exploit DB Packet Storm |
| 22 |
7.5 - |
HIGH
Network |
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from … |
CWE-209 CWE-642 Information Exposure Through an Error Message External Control of Critical State Data |
CVE-2026-29146 | cpe:2.3:a:apache:tomcat:*:* |
7.0.100 8.5.38 9.0.13 10.0.0 11.0.0 |
7.0.109 8.5.100 |
|
9.0.116 10.1.53 11.0.20 |
2026-04-14 21:56 2026-04-10 |
Show | GitHub Exploit DB Packet Storm |
| 23 |
9.1 - |
CRITICAL
Network |
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0… |
CWE-287
Improper Authentication |
CVE-2026-29145 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone9 cpe:2.3:a:apache:tomcat:10.1.0:milestone8 cpe:2.3:a:apache:tomcat:10.1.… |
9.0.83 10.1.1 11.0.0 |
|
|
9.0.116 10.1.53 11.0.20 |
2026-04-14 22:22 2026-04-10 |
Show | GitHub Exploit DB Packet Storm |
| 24 |
7.5 - |
HIGH
Network |
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.… |
CWE-327
Use of a Broken or Risky Cryptographic Algorithm |
CVE-2026-29129 | cpe:2.3:a:apache:tomcat:*:* |
9.0.114 10.1.51 11.0.16 |
|
|
9.0.116 10.1.53 11.0.20 |
2026-04-14 23:00 2026-04-10 |
Show | GitHub Exploit DB Packet Storm |
| 25 |
6.1 - |
MEDIUM
Network |
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fro… |
CWE-601
Open Redirect |
CVE-2026-25854 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone27 cpe:2.3:a:apache:tomcat:9.0.0:milestone26 cpe:2.3:a:apache:tomcat:9.0.0… |
9.0.1 10.1.0 11.0.0 |
|
|
9.0.116 10.1.53 11.0.20 |
2026-04-14 23:01 2026-04-10 |
Show | GitHub Exploit DB Packet Storm |
| 26 |
7.5 - |
HIGH
Network |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through … |
CWE-444
HTTP Request Smuggling |
CVE-2026-24880 | cpe:2.3:a:apache:tomcat:*:* |
9.0.0 10.1.0 11.0.0 |
|
|
9.0.116 10.1.53 11.0.20 |
2026-04-15 05:02 2026-04-10 |
Show | GitHub Exploit DB Packet Storm |
| 27 |
- - |
- | Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old… |
CWE-384
Session Fixation |
CVE-2025-55668 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
10.0.0 11.0.0 9.0.1 |
|
|
10.1.42 11.0.8 9.0.106 |
2025-08-19 03:44 2025-08-13 |
Show | GitHub Exploit DB Packet Storm |
| 28 |
- - |
- | Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0… | - | CVE-2025-48989 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
10.0.0 11.0.0 9.0.1 |
|
|
10.1.44 11.0.10 9.0.108 |
2025-08-19 03:34 2025-08-13 |
Show | GitHub Exploit DB Packet Storm |
| 29 |
9.8 - |
CRITICAL
Network |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to… |
CWE-116
Improper Encoding or Escaping of Output |
CVE-2025-31651 | cpe:2.3:a:apache:tomcat:*:* |
10.1.0 11.0.0 9.0.0 |
|
|
10.1.40 11.0.6 9.0.104 |
2025-05-6 23:15 2025-04-29 |
Show | GitHub Exploit DB Packet Storm |
| 30 |
7.5 - |
HIGH
Network |
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory … |
CWE-459
Incomplete Cleanup |
CVE-2025-31650 |
cpe:2.3:a:apache:tomcat:11.0.0:milestone9 cpe:2.3:a:apache:tomcat:11.0.0:milestone8 cpe:2.3:a:apache:tomcat:11.0.… |
9.0.76 10.1.10 11.0.1 |
|
|
9.0.104 10.1.40 11.0.6 |
2025-05-6 23:15 2025-04-29 |
Show | GitHub Exploit DB Packet Storm |