Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.tomcat/tomcat@10.1.50
Typemaven
Namespaceorg.apache.tomcat
Nametomcat
Version10.1.50
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.1.54
Latest_non_vulnerable_version11.0.21
Affected_by_vulnerabilities
0
url VCID-8war-4v58-eub2
vulnerability_id VCID-8war-4v58-eub2
summary 
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.

When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.

This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.


The following versions were EOL at the time the CVE was created but are 
known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.

Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.

Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24734.json
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24734.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24734
reference_id
reference_type
scores
0
value 0.00109
scoring_system epss
scoring_elements 0.29186
published_at 2026-04-13T12:55:00Z
1
value 0.00109
scoring_system epss
scoring_elements 0.29285
published_at 2026-04-11T12:55:00Z
2
value 0.00109
scoring_system epss
scoring_elements 0.29279
published_at 2026-04-09T12:55:00Z
3
value 0.00109
scoring_system epss
scoring_elements 0.29315
published_at 2026-04-02T12:55:00Z
4
value 0.00109
scoring_system epss
scoring_elements 0.29175
published_at 2026-04-07T12:55:00Z
5
value 0.00109
scoring_system epss
scoring_elements 0.29363
published_at 2026-04-04T12:55:00Z
6
value 0.00109
scoring_system epss
scoring_elements 0.29239
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24734
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-21T21:16:49Z/
url https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24734
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24734
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440426
reference_id 2440426
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440426
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24734
reference_id CVE-2026-24734
reference_type
scores
0
value Moderate
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24734
8
reference_url https://github.com/advisories/GHSA-mgp5-rv84-w37q
reference_id GHSA-mgp5-rv84-w37q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mgp5-rv84-w37q
9
reference_url https://access.redhat.com/errata/RHSA-2026:5611
reference_id RHSA-2026:5611
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5611
10
reference_url https://access.redhat.com/errata/RHSA-2026:5612
reference_id RHSA-2026:5612
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5612
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@10.1.52
purl pkg:maven/org.apache.tomcat/tomcat@10.1.52
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-35xg-a746-5qgc
1
vulnerability VCID-gyed-x6s8-ybhr
2
vulnerability VCID-maw6-4qs5-ykae
3
vulnerability VCID-rsxs-u5cc-rkgj
4
vulnerability VCID-yrzk-1dbk-muhy
5
vulnerability VCID-zw2q-kna8-mqcm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.52
1
url pkg:maven/org.apache.tomcat/tomcat@11.0.18
purl pkg:maven/org.apache.tomcat/tomcat@11.0.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-35xg-a746-5qgc
1
vulnerability VCID-74tx-sx8a-guhs
2
vulnerability VCID-gyed-x6s8-ybhr
3
vulnerability VCID-rsxs-u5cc-rkgj
4
vulnerability VCID-yrzk-1dbk-muhy
5
vulnerability VCID-zw2q-kna8-mqcm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.18
aliases CVE-2026-24734, GHSA-mgp5-rv84-w37q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8war-4v58-eub2
1
url VCID-maw6-4qs5-ykae
vulnerability_id VCID-maw6-4qs5-ykae
summary 
Improper Input Validation vulnerability.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.

The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI 
extension was the same as the host name provided in the HTTP host header 
field. If Tomcat was configured with more than one virtual host and the 
TLS configuration for one of those hosts did not require client 
certificate authentication but another one did, it was possible for a 
client to bypass the client certificate authentication by sending 
different host names in the SNI extension and the HTTP host header field.



The vulnerability only applies if client certificate authentication is 
only enforced at the Connector. It does not apply if client certificate 
authentication is enforced at the web application.


Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66614.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66614.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66614
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13222
published_at 2026-04-13T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.1327
published_at 2026-04-12T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13309
published_at 2026-04-11T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13341
published_at 2026-04-09T12:55:00Z
4
value 0.00043
scoring_system epss
scoring_elements 0.13413
published_at 2026-04-04T12:55:00Z
5
value 0.00043
scoring_system epss
scoring_elements 0.13349
published_at 2026-04-02T12:55:00Z
6
value 0.00043
scoring_system epss
scoring_elements 0.1329
published_at 2026-04-08T12:55:00Z
7
value 0.00043
scoring_system epss
scoring_elements 0.13209
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66614
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
5
reference_url https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30
6
reference_url https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2
7
reference_url https://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
8
reference_url https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4
9
reference_url https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940
10
reference_url https://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
11
reference_url https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e
12
reference_url https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509
13
reference_url https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-21T21:17:26Z/
url https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66614
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-66614
15
reference_url https://tomcat.apache.org/security-10.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-10.html
16
reference_url https://tomcat.apache.org/security-11.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-11.html
17
reference_url https://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-9.html
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440430
reference_id 2440430
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440430
19
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66614
reference_id CVE-2025-66614
reference_type
scores
0
value Moderate
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66614
20
reference_url https://github.com/advisories/GHSA-fpj8-gq4v-p354
reference_id GHSA-fpj8-gq4v-p354
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fpj8-gq4v-p354
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@10.1.53
purl pkg:maven/org.apache.tomcat/tomcat@10.1.53
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.53
1
url pkg:maven/org.apache.tomcat/tomcat@11.0.15
purl pkg:maven/org.apache.tomcat/tomcat@11.0.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-maw6-4qs5-ykae
2
vulnerability VCID-rsxs-u5cc-rkgj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.15
2
url pkg:maven/org.apache.tomcat/tomcat@11.0.20
purl pkg:maven/org.apache.tomcat/tomcat@11.0.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.20
aliases CVE-2025-66614, GHSA-fpj8-gq4v-p354
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-maw6-4qs5-ykae
2
url VCID-rsxs-u5cc-rkgj
vulnerability_id VCID-rsxs-u5cc-rkgj
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32990.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32990.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32990
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12364
published_at 2026-04-13T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12404
published_at 2026-04-12T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12443
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32990
2
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
3
reference_url https://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
4
reference_url https://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
5
reference_url https://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
6
reference_url https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:38:40Z/
url https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32990
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32990
8
reference_url https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
reference_id
reference_type
scores
url https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
9
reference_url https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
reference_id
reference_type
scores
url https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
10
reference_url https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
reference_id
reference_type
scores
url https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133356
reference_id 1133356
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133356
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133357
reference_id 1133357
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133357
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457025
reference_id 2457025
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457025
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32990
reference_id CVE-2026-32990
reference_type
scores
0
value Moderate
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32990
15
reference_url https://www.herodevs.com/vulnerability-directory/cve-2026-32990
reference_id CVE-2026-32990
reference_type
scores
url https://www.herodevs.com/vulnerability-directory/cve-2026-32990
16
reference_url https://github.com/advisories/GHSA-8mc5-53m5-3qj2
reference_id GHSA-8mc5-53m5-3qj2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8mc5-53m5-3qj2
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@10.1.53
purl pkg:maven/org.apache.tomcat/tomcat@10.1.53
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.53
1
url pkg:maven/org.apache.tomcat/tomcat@11.0.20
purl pkg:maven/org.apache.tomcat/tomcat@11.0.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.20
aliases CVE-2026-32990, GHSA-8mc5-53m5-3qj2
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rsxs-u5cc-rkgj
3
url VCID-yrzk-1dbk-muhy
vulnerability_id VCID-yrzk-1dbk-muhy
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29146.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29146.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29146
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.08877
published_at 2026-04-11T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.08832
published_at 2026-04-13T12:55:00Z
2
value 0.00031
scoring_system epss
scoring_elements 0.08846
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29146
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://github.com/apache/tomcat/commit/0112ed22abfccc3d54e44d91eb08804d0886acd1
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/0112ed22abfccc3d54e44d91eb08804d0886acd1
5
reference_url https://github.com/apache/tomcat/commit/1fab40ccc752e22639eccfe290d5624afad7eccd
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/1fab40ccc752e22639eccfe290d5624afad7eccd
6
reference_url https://github.com/apache/tomcat/commit/55f3eb9148233054fccfdf761141c6894a050be1
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/55f3eb9148233054fccfdf761141c6894a050be1
7
reference_url https://github.com/apache/tomcat/commit/607ebc0fa522bd9e8c05517baa2d179bbd1e659c
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/607ebc0fa522bd9e8c05517baa2d179bbd1e659c
8
reference_url https://github.com/apache/tomcat/commit/6d955cceca841f2eabf2d6c46b59a8c7e1cd6eaa
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/6d955cceca841f2eabf2d6c46b59a8c7e1cd6eaa
9
reference_url https://github.com/apache/tomcat/commit/776e12b3e2b0b4507b8a3b62c187ceb0b74bf418
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/776e12b3e2b0b4507b8a3b62c187ceb0b74bf418
10
reference_url https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:17:02Z/
url https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29146
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29146
12
reference_url https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
reference_id
reference_type
scores
url https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
13
reference_url https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
reference_id
reference_type
scores
url https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
14
reference_url https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
reference_id
reference_type
scores
url https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
15
reference_url http://www.openwall.com/lists/oss-security/2026/04/09/24
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/09/24
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133356
reference_id 1133356
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133356
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133357
reference_id 1133357
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133357
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457020
reference_id 2457020
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457020
19
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29146
reference_id CVE-2026-29146
reference_type
scores
0
value Important
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29146
20
reference_url https://www.herodevs.com/vulnerability-directory/cve-2026-29146
reference_id CVE-2026-29146
reference_type
scores
url https://www.herodevs.com/vulnerability-directory/cve-2026-29146
21
reference_url https://github.com/advisories/GHSA-h468-7pvh-8vr8
reference_id GHSA-h468-7pvh-8vr8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h468-7pvh-8vr8
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@10.1.53
purl pkg:maven/org.apache.tomcat/tomcat@10.1.53
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.53
1
url pkg:maven/org.apache.tomcat/tomcat@10.1.54
purl pkg:maven/org.apache.tomcat/tomcat@10.1.54
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.54
2
url pkg:maven/org.apache.tomcat/tomcat@11.0.19
purl pkg:maven/org.apache.tomcat/tomcat@11.0.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-maw6-4qs5-ykae
1
vulnerability VCID-rsxs-u5cc-rkgj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.19
3
url pkg:maven/org.apache.tomcat/tomcat@11.0.20
purl pkg:maven/org.apache.tomcat/tomcat@11.0.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.20
4
url pkg:maven/org.apache.tomcat/tomcat@11.0.21
purl pkg:maven/org.apache.tomcat/tomcat@11.0.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.21
aliases CVE-2026-29146, GHSA-h468-7pvh-8vr8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yrzk-1dbk-muhy
Fixing_vulnerabilities
0
url VCID-maw6-4qs5-ykae
vulnerability_id VCID-maw6-4qs5-ykae
summary 
Improper Input Validation vulnerability.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.

The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI 
extension was the same as the host name provided in the HTTP host header 
field. If Tomcat was configured with more than one virtual host and the 
TLS configuration for one of those hosts did not require client 
certificate authentication but another one did, it was possible for a 
client to bypass the client certificate authentication by sending 
different host names in the SNI extension and the HTTP host header field.



The vulnerability only applies if client certificate authentication is 
only enforced at the Connector. It does not apply if client certificate 
authentication is enforced at the web application.


Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66614.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66614.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66614
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13222
published_at 2026-04-13T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.1327
published_at 2026-04-12T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13309
published_at 2026-04-11T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13341
published_at 2026-04-09T12:55:00Z
4
value 0.00043
scoring_system epss
scoring_elements 0.13413
published_at 2026-04-04T12:55:00Z
5
value 0.00043
scoring_system epss
scoring_elements 0.13349
published_at 2026-04-02T12:55:00Z
6
value 0.00043
scoring_system epss
scoring_elements 0.1329
published_at 2026-04-08T12:55:00Z
7
value 0.00043
scoring_system epss
scoring_elements 0.13209
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66614
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
5
reference_url https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30
6
reference_url https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2
7
reference_url https://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
8
reference_url https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4
9
reference_url https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940
10
reference_url https://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
11
reference_url https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e
12
reference_url https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509
13
reference_url https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-21T21:17:26Z/
url https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66614
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-66614
15
reference_url https://tomcat.apache.org/security-10.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-10.html
16
reference_url https://tomcat.apache.org/security-11.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-11.html
17
reference_url https://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-9.html
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440430
reference_id 2440430
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440430
19
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66614
reference_id CVE-2025-66614
reference_type
scores
0
value Moderate
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66614
20
reference_url https://github.com/advisories/GHSA-fpj8-gq4v-p354
reference_id GHSA-fpj8-gq4v-p354
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fpj8-gq4v-p354
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.113
purl pkg:maven/org.apache.tomcat/tomcat@9.0.113
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-maw6-4qs5-ykae
2
vulnerability VCID-rsxs-u5cc-rkgj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.113
1
url pkg:maven/org.apache.tomcat/tomcat@9.0.116
purl pkg:maven/org.apache.tomcat/tomcat@9.0.116
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.116
2
url pkg:maven/org.apache.tomcat/tomcat@10.1.50
purl pkg:maven/org.apache.tomcat/tomcat@10.1.50
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-maw6-4qs5-ykae
2
vulnerability VCID-rsxs-u5cc-rkgj
3
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.50
3
url pkg:maven/org.apache.tomcat/tomcat@10.1.53
purl pkg:maven/org.apache.tomcat/tomcat@10.1.53
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.53
4
url pkg:maven/org.apache.tomcat/tomcat@11.0.15
purl pkg:maven/org.apache.tomcat/tomcat@11.0.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-maw6-4qs5-ykae
2
vulnerability VCID-rsxs-u5cc-rkgj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.15
5
url pkg:maven/org.apache.tomcat/tomcat@11.0.20
purl pkg:maven/org.apache.tomcat/tomcat@11.0.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2rmy-13ym-3bgm
1
vulnerability VCID-8e1c-rbkg-v7c2
2
vulnerability VCID-abt4-b2cv-eygv
3
vulnerability VCID-d1fm-vbd1-n7au
4
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.20
aliases CVE-2025-66614, GHSA-fpj8-gq4v-p354
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-maw6-4qs5-ykae
1
url VCID-y9ne-rw7e-vugf
vulnerability_id VCID-y9ne-rw7e-vugf
summary 
Improper Input Validation vulnerability in Apache Tomcat.


Tomcat did not limit HTTP/0.9 requests to the GET method. If a security 
constraint was configured to allow HEAD requests to a URI but deny GET 
requests, the user could bypass that constraint on GET requests by 
sending a (specification invalid) HEAD request using HTTP/0.9.


This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.


Older, EOL versions are also affected.

Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24733.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24733.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24733
reference_id
reference_type
scores
0
value 0.00185
scoring_system epss
scoring_elements 0.40307
published_at 2026-04-13T12:55:00Z
1
value 0.00185
scoring_system epss
scoring_elements 0.40326
published_at 2026-04-12T12:55:00Z
2
value 0.00185
scoring_system epss
scoring_elements 0.40363
published_at 2026-04-11T12:55:00Z
3
value 0.00185
scoring_system epss
scoring_elements 0.40352
published_at 2026-04-09T12:55:00Z
4
value 0.00185
scoring_system epss
scoring_elements 0.4034
published_at 2026-04-08T12:55:00Z
5
value 0.00185
scoring_system epss
scoring_elements 0.40289
published_at 2026-04-07T12:55:00Z
6
value 0.00185
scoring_system epss
scoring_elements 0.40364
published_at 2026-04-04T12:55:00Z
7
value 0.00185
scoring_system epss
scoring_elements 0.40339
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24733
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://github.com/apache/tomcat/commit/2e2fa23f2635bbb819759576a2f2f5e64ecf7c5f
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/2e2fa23f2635bbb819759576a2f2f5e64ecf7c5f
5
reference_url https://github.com/apache/tomcat/commit/6c73d74ff281260d74c836370ff6b82f1da8048b
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/6c73d74ff281260d74c836370ff6b82f1da8048b
6
reference_url https://github.com/apache/tomcat/commit/711b465cf22684a1acf0cb43501cdbbce9b6c5f4
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/711b465cf22684a1acf0cb43501cdbbce9b6c5f4
7
reference_url https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-21T21:16:58Z/
url https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24733
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24733
9
reference_url https://tomcat.apache.org/security-10.html
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-10.html
10
reference_url https://tomcat.apache.org/security-11.html
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-11.html
11
reference_url https://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-9.html
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440437
reference_id 2440437
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440437
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24733
reference_id CVE-2026-24733
reference_type
scores
0
value Low
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24733
14
reference_url https://github.com/advisories/GHSA-qq5r-98hh-rxc9
reference_id GHSA-qq5r-98hh-rxc9
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qq5r-98hh-rxc9
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.113
purl pkg:maven/org.apache.tomcat/tomcat@9.0.113
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-maw6-4qs5-ykae
2
vulnerability VCID-rsxs-u5cc-rkgj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.113
1
url pkg:maven/org.apache.tomcat/tomcat@10.1.50
purl pkg:maven/org.apache.tomcat/tomcat@10.1.50
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-maw6-4qs5-ykae
2
vulnerability VCID-rsxs-u5cc-rkgj
3
vulnerability VCID-yrzk-1dbk-muhy
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.50
2
url pkg:maven/org.apache.tomcat/tomcat@11.0.15
purl pkg:maven/org.apache.tomcat/tomcat@11.0.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-maw6-4qs5-ykae
2
vulnerability VCID-rsxs-u5cc-rkgj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.15
aliases CVE-2026-24733, GHSA-qq5r-98hh-rxc9
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y9ne-rw7e-vugf
Risk_score4.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.50