Search for packages
| purl | pkg:apache/tomcat@10.1.0-M1 |
| Next non-vulnerable version | 10.1.0-M10 |
| Latest non-vulnerable version | 11.0.21 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1e6p-cppr-2bh2
Aliases: CVE-2025-48989 GHSA-gqp3-2cvr-x8m3 |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-246u-a4rh-yyd4
Aliases: CVE-2025-49125 GHSA-wc4r-xq3c-5cf3 |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-2kku-pzer-9ufv
Aliases: CVE-2025-55668 GHSA-23hv-mwm6-g8jf |
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-2rmy-13ym-3bgm
Aliases: CVE-2026-34483 GHSA-rv64-5gf8-9qq8 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-2x6a-3gh1-rkhs
Aliases: CVE-2025-48976 GHSA-vv7r-c36w-3prj |
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-3vdn-j7sj-dfdn
Aliases: CVE-2024-38286 GHSA-7jqf-v358-p8g7 |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-43j2-w5xt-43g9
Aliases: CVE-2024-56337 GHSA-27hp-xhwr-wr2m |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-4cag-c4pb-dfaz
Aliases: CVE-2025-61795 GHSA-hgrr-935x-pq79 |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-56jv-htmt-rkew
Aliases: CVE-2023-24998 GHSA-hfrx-6qgj-fp6c |
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5781-s1ny-q7ey
Aliases: CVE-2023-44487 GHSA-2m7v-gc89-fjqf GHSA-qppj-fm5r-hxr3 GHSA-vx74-f528-fxqg GHSA-xpw8-rcwv-8f8p GMS-2023-3377 VSV00013 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-5sgv-7nsz-5fa8
Aliases: CVE-2025-24813 GHSA-83qj-6fr2-vhqg |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-6pm1-byhk-eqfg
Aliases: CVE-2022-23181 GHSA-9f3j-pm6f-9fm5 |
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. |
Affected by 0 other vulnerabilities. |
|
VCID-8mns-kw6c-a7dk
Aliases: CVE-2024-52316 GHSA-xcpr-7mr4-h4xq |
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. |
Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
|
VCID-8myk-ac5b-huh8
Aliases: CVE-2024-34750 GHSA-wm9w-rjj3-j356 |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-b3bb-9ajg-sfc9
Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76 |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-cfhw-vmcp-y3bc
Aliases: CVE-2025-55754 GHSA-vfww-5hm6-hx2j |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-d1fm-vbd1-n7au
Aliases: CVE-2026-34487 GHSA-x4m4-345f-5h5g |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-fpgj-82wf-ykbw
Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf |
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-gb2v-96xj-ybad
Aliases: CVE-2025-48988 GHSA-h3gc-qfqq-6h8f |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-gvhy-d4gm-57d3
Aliases: CVE-2024-54677 GHSA-653p-vg55-5652 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-gyed-x6s8-ybhr
Aliases: CVE-2026-24880 GHSA-563x-q5rq-57qp |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
|
VCID-j6cj-ftyd-3ffa
Aliases: CVE-2023-41080 GHSA-q3mw-pvr8-9ggc |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-j8tk-s915-pbfy
Aliases: CVE-2021-43980 GHSA-jx7c-7mj5-9438 |
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. |
Affected by 1 other vulnerability. |
|
VCID-k59r-wjt3-wqe5
Aliases: CVE-2025-52520 GHSA-wr62-c79q-cv37 |
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-kukv-k3z7-7fgs
Aliases: CVE-2025-31651 GHSA-ff77-26x5-69cr |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-maw6-4qs5-ykae
Aliases: CVE-2025-66614 GHSA-fpj8-gq4v-p354 |
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-n9yk-e49f-n7e7
Aliases: CVE-2023-42795 GHSA-g8pj-r55q-5c2v |
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nmq2-8ysj-4fbc
Aliases: CVE-2022-42252 GHSA-p22x-g9px-3945 |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. |
Affected by 1 other vulnerability. |
|
VCID-p6pa-f1fg-hbhg
Aliases: CVE-2024-23672 GHSA-v682-8vv8-vpwr |
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-p8q2-pt96-5ye8
Aliases: CVE-2022-34305 GHSA-6j88-6whg-x687 |
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-qkx6-32cj-jfbp
Aliases: CVE-2022-29885 GHSA-r84p-88g2-2vx2 |
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. |
Affected by 0 other vulnerabilities. |
|
VCID-rzj2-4kcj-43dq
Aliases: CVE-2023-45648 GHSA-r6j3-px5g-cq3x |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sr8e-w1qk-r7fz
Aliases: CVE-2025-46701 GHSA-h2fw-rfh5-95r3 |
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-stds-vw5z-auhp
Aliases: CVE-2022-45143 GHSA-rq2w-37h9-vg94 |
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. |
Affected by 0 other vulnerabilities. |
|
VCID-v7tp-1t4h-zqeg
Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v8ku-sjc8-wfga
Aliases: CVE-2024-50379 GHSA-5j33-cvvr-w245 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-vsdf-4tfj-uybe
Aliases: CVE-2024-24549 GHSA-7w75-32cg-r6g2 |
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wptr-hkjx-s7c3
Aliases: CVE-2021-42340 GHSA-wph7-x527-w3h5 |
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. |
Affected by 0 other vulnerabilities. |
|
VCID-xqjr-7xfw-mbh2
Aliases: CVE-2025-55752 GHSA-wmwf-9ccg-fff5 |
Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-y9ne-rw7e-vugf
Aliases: CVE-2026-24733 GHSA-qq5r-98hh-rxc9 |
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-zw2q-kna8-mqcm
Aliases: CVE-2026-25854 GHSA-9m3c-qcxr-9x87 |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-10T00:03:26.882692+00:00 | Apache Tomcat Importer | Affected by | VCID-gyed-x6s8-ybhr | https://tomcat.apache.org/security-10.html | 38.1.0 |
| 2026-04-10T00:03:26.829497+00:00 | Apache Tomcat Importer | Affected by | VCID-zw2q-kna8-mqcm | https://tomcat.apache.org/security-10.html | 38.1.0 |
| 2026-04-10T00:03:26.550747+00:00 | Apache Tomcat Importer | Affected by | VCID-2rmy-13ym-3bgm | https://tomcat.apache.org/security-10.html | 38.1.0 |
| 2026-04-10T00:03:26.416464+00:00 | Apache Tomcat Importer | Affected by | VCID-d1fm-vbd1-n7au | https://tomcat.apache.org/security-10.html | 38.1.0 |
| 2026-04-01T12:38:06.169182+00:00 | Apache Tomcat Importer | Affected by | VCID-wptr-hkjx-s7c3 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:06.102282+00:00 | Apache Tomcat Importer | Affected by | VCID-6pm1-byhk-eqfg | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:06.037813+00:00 | Apache Tomcat Importer | Affected by | VCID-j8tk-s915-pbfy | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.979437+00:00 | Apache Tomcat Importer | Affected by | VCID-qkx6-32cj-jfbp | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.911902+00:00 | Apache Tomcat Importer | Affected by | VCID-p8q2-pt96-5ye8 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.820776+00:00 | Apache Tomcat Importer | Affected by | VCID-nmq2-8ysj-4fbc | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.787337+00:00 | Apache Tomcat Importer | Affected by | VCID-stds-vw5z-auhp | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.753649+00:00 | Apache Tomcat Importer | Affected by | VCID-56jv-htmt-rkew | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.723183+00:00 | Apache Tomcat Importer | Affected by | VCID-v7tp-1t4h-zqeg | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.634116+00:00 | Apache Tomcat Importer | Affected by | VCID-j6cj-ftyd-3ffa | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.606535+00:00 | Apache Tomcat Importer | Affected by | VCID-n9yk-e49f-n7e7 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.580452+00:00 | Apache Tomcat Importer | Affected by | VCID-5781-s1ny-q7ey | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.548408+00:00 | Apache Tomcat Importer | Affected by | VCID-rzj2-4kcj-43dq | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.512732+00:00 | Apache Tomcat Importer | Affected by | VCID-b3bb-9ajg-sfc9 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.483842+00:00 | Apache Tomcat Importer | Affected by | VCID-vsdf-4tfj-uybe | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.451813+00:00 | Apache Tomcat Importer | Affected by | VCID-p6pa-f1fg-hbhg | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.421606+00:00 | Apache Tomcat Importer | Affected by | VCID-3vdn-j7sj-dfdn | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.388256+00:00 | Apache Tomcat Importer | Affected by | VCID-8myk-ac5b-huh8 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.360431+00:00 | Apache Tomcat Importer | Affected by | VCID-8mns-kw6c-a7dk | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.271957+00:00 | Apache Tomcat Importer | Affected by | VCID-v8ku-sjc8-wfga | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.237373+00:00 | Apache Tomcat Importer | Affected by | VCID-gvhy-d4gm-57d3 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.201648+00:00 | Apache Tomcat Importer | Affected by | VCID-43j2-w5xt-43g9 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.173184+00:00 | Apache Tomcat Importer | Affected by | VCID-5sgv-7nsz-5fa8 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.108304+00:00 | Apache Tomcat Importer | Affected by | VCID-kukv-k3z7-7fgs | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.078382+00:00 | Apache Tomcat Importer | Affected by | VCID-sr8e-w1qk-r7fz | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.051123+00:00 | Apache Tomcat Importer | Affected by | VCID-2x6a-3gh1-rkhs | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.022860+00:00 | Apache Tomcat Importer | Affected by | VCID-gb2v-96xj-ybad | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.963738+00:00 | Apache Tomcat Importer | Affected by | VCID-246u-a4rh-yyd4 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.934360+00:00 | Apache Tomcat Importer | Affected by | VCID-2kku-pzer-9ufv | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.903959+00:00 | Apache Tomcat Importer | Affected by | VCID-fpgj-82wf-ykbw | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.877938+00:00 | Apache Tomcat Importer | Affected by | VCID-k59r-wjt3-wqe5 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.849547+00:00 | Apache Tomcat Importer | Affected by | VCID-1e6p-cppr-2bh2 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.821652+00:00 | Apache Tomcat Importer | Affected by | VCID-xqjr-7xfw-mbh2 | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.794092+00:00 | Apache Tomcat Importer | Affected by | VCID-cfhw-vmcp-y3bc | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.764722+00:00 | Apache Tomcat Importer | Affected by | VCID-4cag-c4pb-dfaz | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.733776+00:00 | Apache Tomcat Importer | Affected by | VCID-maw6-4qs5-ykae | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:04.699991+00:00 | Apache Tomcat Importer | Affected by | VCID-y9ne-rw7e-vugf | https://tomcat.apache.org/security-10.html | 38.0.0 |