VulnerableCode Package Details - pkg:apache/tomcat@11.0.20

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@11.0.20

Essentials
History (12)

purl	pkg:apache/tomcat@11.0.20

Next non-vulnerable version	11.0.21
Latest non-vulnerable version	11.0.21
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-2rmy-13ym-3bgm Aliases: CVE-2026-34483 GHSA-rv64-5gf8-9qq8		11.0.21 Affected by 0 other vulnerabilities.
VCID-8e1c-rbkg-v7c2 Aliases: CVE-2026-34500 GHSA-24j9-x2wg-9qv6		11.0.21 Affected by 0 other vulnerabilities.
VCID-abt4-b2cv-eygv Aliases: CVE-2026-34486 GHSA-69r9-qgr7-g2wj		11.0.21 Affected by 0 other vulnerabilities.
VCID-d1fm-vbd1-n7au Aliases: CVE-2026-34487 GHSA-x4m4-345f-5h5g		11.0.21 Affected by 0 other vulnerabilities.
VCID-yrzk-1dbk-muhy Aliases: CVE-2026-29146 GHSA-h468-7pvh-8vr8		11.0.21 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (7)

Vulnerability	Summary	Aliases
VCID-35xg-a746-5qgc		CVE-2026-29129 GHSA-69cc-cv78-qc8g
VCID-74tx-sx8a-guhs		CVE-2026-29145 GHSA-95jq-rwvf-vjx4
VCID-gyed-x6s8-ybhr		CVE-2026-24880 GHSA-563x-q5rq-57qp
VCID-maw6-4qs5-ykae	Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.	CVE-2025-66614 GHSA-fpj8-gq4v-p354
VCID-rsxs-u5cc-rkgj		CVE-2026-32990 GHSA-8mc5-53m5-3qj2
VCID-yrzk-1dbk-muhy		CVE-2026-29146 GHSA-h468-7pvh-8vr8
VCID-zw2q-kna8-mqcm		CVE-2026-25854 GHSA-9m3c-qcxr-9x87

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-10T00:03:26.318622+00:00	Apache Tomcat Importer	Fixing	VCID-gyed-x6s8-ybhr	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:26.262643+00:00	Apache Tomcat Importer	Fixing	VCID-zw2q-kna8-mqcm	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:26.207461+00:00	Apache Tomcat Importer	Fixing	VCID-35xg-a746-5qgc	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:26.153241+00:00	Apache Tomcat Importer	Fixing	VCID-74tx-sx8a-guhs	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:26.101195+00:00	Apache Tomcat Importer	Fixing	VCID-yrzk-1dbk-muhy	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:26.052615+00:00	Apache Tomcat Importer	Fixing	VCID-rsxs-u5cc-rkgj	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:25.998838+00:00	Apache Tomcat Importer	Fixing	VCID-maw6-4qs5-ykae	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:25.940021+00:00	Apache Tomcat Importer	Affected by	VCID-2rmy-13ym-3bgm	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:25.890702+00:00	Apache Tomcat Importer	Affected by	VCID-abt4-b2cv-eygv	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:25.845419+00:00	Apache Tomcat Importer	Affected by	VCID-yrzk-1dbk-muhy	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:25.792559+00:00	Apache Tomcat Importer	Affected by	VCID-d1fm-vbd1-n7au	https://tomcat.apache.org/security-11.html	38.1.0
2026-04-10T00:03:25.730756+00:00	Apache Tomcat Importer	Affected by	VCID-8e1c-rbkg-v7c2	https://tomcat.apache.org/security-11.html	38.1.0