VulnerableCode Package Details - pkg:apache/tomcat@5.5.26

Search for packages

Vulnerability	Summary	Fixed by
VCID-a9cu-fxqw-xkdg Aliases: CVE-2008-1232 GHSA-q74x-qqhr-f8rx	Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.	5.5.27 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.18 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-acmu-9eqb-fya5 Aliases: CVE-2008-2370 GHSA-m8h8-6rvg-f4mg	Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.	5.5.27 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.18 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-egup-27ub-6uaf Aliases: CVE-2008-1947 GHSA-f98p-9pp6-7q6c	Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.	5.5.27 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.18 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-a9cu-fxqw-xkdg
Aliases:
CVE-2008-1232
GHSA-q74x-qqhr-f8rx

Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.

5.5.27
Affected by 5 other vulnerabilities.

6.0.18
Affected by 5 other vulnerabilities.

VCID-acmu-9eqb-fya5
Aliases:
CVE-2008-2370
GHSA-m8h8-6rvg-f4mg

Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

5.5.27
Affected by 5 other vulnerabilities.

6.0.18
Affected by 5 other vulnerabilities.

VCID-egup-27ub-6uaf
Aliases:
CVE-2008-1947
GHSA-f98p-9pp6-7q6c

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

5.5.27
Affected by 5 other vulnerabilities.

6.0.18
Affected by 5 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7pd9-1r19-73fe	Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.	CVE-2007-6286 GHSA-qrj4-rmqg-4hcp
VCID-88v7-kc2y-bfd7	Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.	CVE-2007-5461 GHSA-v5p2-vg3c-pmrr
VCID-hhkg-mfp5-2kax	The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.	CVE-2007-5342 GHSA-w65j-cmqc-37p2
VCID-v94p-bxm3-akfd	Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.	CVE-2007-5333 GHSA-cww4-vj5r-rx57

Vulnerability

Summary

Aliases

VCID-7pd9-1r19-73fe

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

CVE-2007-6286
GHSA-qrj4-rmqg-4hcp

VCID-88v7-kc2y-bfd7

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

CVE-2007-5461
GHSA-v5p2-vg3c-pmrr

VCID-hhkg-mfp5-2kax

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

CVE-2007-5342
GHSA-w65j-cmqc-37p2

VCID-v94p-bxm3-akfd

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.

CVE-2007-5333
GHSA-cww4-vj5r-rx57

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:18.861111+00:00	Apache Tomcat Importer	Fixing	VCID-7pd9-1r19-73fe	https://tomcat.apache.org/security-5.html	38.0.0
2026-04-01T12:38:18.834064+00:00	Apache Tomcat Importer	Fixing	VCID-88v7-kc2y-bfd7	https://tomcat.apache.org/security-5.html	38.0.0
2026-04-01T12:38:18.808019+00:00	Apache Tomcat Importer	Fixing	VCID-hhkg-mfp5-2kax	https://tomcat.apache.org/security-5.html	38.0.0
2026-04-01T12:38:18.778496+00:00	Apache Tomcat Importer	Fixing	VCID-v94p-bxm3-akfd	https://tomcat.apache.org/security-5.html	38.0.0
2026-04-01T12:38:18.747142+00:00	Apache Tomcat Importer	Affected by	VCID-acmu-9eqb-fya5	https://tomcat.apache.org/security-5.html	38.0.0
2026-04-01T12:38:18.719054+00:00	Apache Tomcat Importer	Affected by	VCID-egup-27ub-6uaf	https://tomcat.apache.org/security-5.html	38.0.0
2026-04-01T12:38:18.689097+00:00	Apache Tomcat Importer	Affected by	VCID-a9cu-fxqw-xkdg	https://tomcat.apache.org/security-5.html	38.0.0