| Apache Tomcat | Number Of NVD | 231 | CRITICAL | 12 | HIGH | 72 | MEDIUM | 130 | LOW | 15 |
| URL | http://tomcat.apache.org/ | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | http://tomcat.apache.org/security.html | ||
| 2 | http://tomcat.apache.org/whichversion.html |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 21 | Apache Tomcat 11.0 | 11.0.14 | Nov. 10, 2025 | Feb. 23, 2023 | 6 | 13 | 6 | 1 | |||
| 22 | Apache Tomcat 10.1 | 10.1.49 | Nov. 10, 2025 | Sept. 26, 2022 | 6 | 19 | 7 | 2 | |||
| 23 | Apache Tomcat 10.0 | 10.0.27 | Oct. 10, 2022 | Dec. 8, 2020 | 1 | 15 | 4 | 1 | |||
| 24 | Apache Tomcat 9.0 | 9.0.118 | May 10, 2026 | Jan. 22, 2018 | 12 | 52 | 27 | 2 | |||
| 25 | Apache Tomcat 8.5 | 8.5.100 | March 25, 2024 | June 13, 2016 | 9 | 44 | 23 | 2 | |||
| 26 | Apache Tomcat 8 | 8.0.53 | June 29, 2018 | June 25, 2014 | June 30, 2018 | 4 | 20 | 20 | 0 | ||
| 27 | Apache Tomcat 7 | 7.0.109 | April 22, 2021 | June 29, 2010 | March 31, 2021 | 7 | 34 | 56 | 6 | ||
| 28 | Apache Tomcat 6 | 6.0.53 | April 2, 2017 | Dec. 1, 2006 | Dec. 31, 2016 | 2 | 15 | 60 | 5 | ||
| 29 | Apache Tomcat 5.5 | 5.5.9 | 0 | 0 | 0 | 0 | |||||
| 30 | Apache Tomcat 5.0 | 5.0.9 | 0 | 0 | 0 | 0 | |||||
| 31 | Apache Tomcat 4.1 | 4.1.9 | 0 | 0 | 0 | 0 | |||||
| 32 | Apache Tomcat 4.0 | 4.0.6 | 0 | 0 | 0 | 0 | |||||
| 33 | Apache Tomcat 3.3 | 3.3.2 | 0 | 0 | 0 | 0 | |||||
| 34 | Apache Tomcat 3.2 | 3.2.4 | 0 | 0 | 0 | 0 | |||||
| 35 | Apache Tomcat 3.1 | 3.1.1 | 0 | 0 | 0 | 0 | |||||
| 36 | Apache Tomcat 3.0 | 3.0 | 0 | 0 | 0 | 0 | |||||
| 37 | Apache Tomcat 1.1 | 1.1.3 | 0 | 0 | 0 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 21 |
7.5 - |
HIGH
Network |
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory … |
CWE-459
Incomplete Cleanup |
CVE-2025-31650 |
cpe:2.3:a:apache:tomcat:11.0.0:milestone9 cpe:2.3:a:apache:tomcat:11.0.0:milestone8 cpe:2.3:a:apache:tomcat:11.0.… |
9.0.76 10.1.10 11.0.1 |
|
|
9.0.104 10.1.40 11.0.6 |
2025-05-6 23:15 2025-04-29 |
Show | GitHub Exploit DB Packet Storm |
| 22 |
9.8 - |
CRITICAL
Network |
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apach… |
CWE-502 CWE-706 Deserialization of Untrusted Data Use of Incorrectly-Resolved Name or Reference |
CVE-2025-24813 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
9.0.1 10.1.1 11.0.1 |
|
|
9.0.99 10.1.35 11.0.3 |
2025-03-19 02:19 2025-03-11 |
Show | GitHub Exploit DB Packet Storm |
| 23 |
5.3 - |
MEDIUM
Network |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are reco… | - | CVE-2024-21733 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone27 cpe:2.3:a:apache:tomcat:9.0.0:milestone26 cpe:2.3:a:apache:tomcat:9.0.0… |
9.0.1 8.5.7 |
|
|
9.0.44 8.5.64 |
2024-11-21 17:54 2024-01-19 |
Show | GitHub Exploit DB Packet Storm |
| 24 |
7.5 - |
HIGH
Network |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not c… |
CWE-444
HTTP Request Smuggling |
CVE-2023-46589 |
cpe:2.3:a:apache:tomcat:11.0.0:milestone9 cpe:2.3:a:apache:tomcat:11.0.0:milestone8 cpe:2.3:a:apache:tomcat:11.0.… |
10.1.0 9.0.0 8.5.0 |
|
|
10.1.16 9.0.83 8.5.96 |
2024-11-21 17:28 2023-11-29 |
Show | GitHub Exploit DB Packet Storm |
| 25 |
5.3 - |
MEDIUM
Network |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not c… | - | CVE-2023-45648 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
10.1.1 8.5.0 9.0.1 |
|
|
10.1.14 8.5.94 9.0.81 |
2024-11-21 17:27 2023-10-11 |
Show | GitHub Exploit DB Packet Storm |
| 26 |
5.3 - |
MEDIUM
Network |
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0… | - | CVE-2023-42795 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
10.1.1 8.5.0 9.0.1 |
|
|
10.1.14 8.5.94 9.0.81 |
2024-11-21 17:23 2023-10-11 |
Show | GitHub Exploit DB Packet Storm |
| 27 |
5.9 - |
MEDIUM
Network |
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in pro… | - | CVE-2023-42794 | cpe:2.3:a:apache:tomcat:*:* |
8.5.85 9.0.70 |
|
|
8.5.94 9.0.81 |
2024-11-21 17:23 2023-10-11 |
Show | GitHub Exploit DB Packet Storm |
| 28 |
7.5 - |
HIGH
Network |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
NVD-CWE-noinfo
|
CVE-2023-44487 |
cpe:2.3:a:apache:tomcat:11.0.0:milestone9 cpe:2.3:a:apache:tomcat:11.0.0:milestone8 cpe:2.3:a:apache:tomcat:11.0.… |
9.0.0 8.5.0 10.1.0 |
9.0.80 8.5.93 10.1.13 |
|
|
2025-03-8 04:15 2023-10-10 |
Show | GitHub Exploit DB Packet Storm |
| 29 |
6.1 - |
MEDIUM
Network |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 thro… | - | CVE-2023-41080 |
cpe:2.3:a:apache:tomcat:11.0.0:milestone9 cpe:2.3:a:apache:tomcat:11.0.0:milestone8 cpe:2.3:a:apache:tomcat:11.0.… |
10.1.0 8.5.0 9.0.0 |
10.1.12 8.5.92 9.0.79 |
|
|
2024-11-21 17:20 2023-08-26 |
Show | GitHub Exploit DB Packet Storm |
| 30 |
7.5 - |
HIGH
Network |
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for th… |
NVD-CWE-noinfo
|
CVE-2023-34981 |
cpe:2.3:a:apache:tomcat:9.0.74:* cpe:2.3:a:apache:tomcat:8.5.88:* cpe:2.3:a:apache:tomcat:11.0.0:milestone5 cp… |
2024-11-21 17:07 2023-06-21 |
Show | GitHub Exploit DB Packet Storm |