Search for packages
| purl | pkg:apache/tomcat@9.0.0%2BM1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18q4-zark-s7a7
Aliases: CVE-2016-6794 GHSA-2rvf-329f-p99g |
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. |
Affected by 0 other vulnerabilities. |
|
VCID-1e6p-cppr-2bh2
Aliases: CVE-2025-48989 GHSA-gqp3-2cvr-x8m3 |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-1hdb-24e3-f3d6
Aliases: CVE-2017-5651 GHSA-9hg2-395j-83rm |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. |
Affected by 0 other vulnerabilities. |
|
VCID-1k8f-vsg1-k3d6
Aliases: CVE-2016-0706 GHSA-6vx3-hr43-cfrh |
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. |
Affected by 0 other vulnerabilities. |
|
VCID-246u-a4rh-yyd4
Aliases: CVE-2025-49125 GHSA-wc4r-xq3c-5cf3 |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-2kku-pzer-9ufv
Aliases: CVE-2025-55668 GHSA-23hv-mwm6-g8jf |
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-2sbh-sy57-3uez
Aliases: CVE-2018-1304 GHSA-6rxj-58jh-436r |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. |
Affected by 0 other vulnerabilities. |
|
VCID-2x6a-3gh1-rkhs
Aliases: CVE-2025-48976 GHSA-vv7r-c36w-3prj |
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-39e3-jfbg-s3hk
Aliases: CVE-2019-10072 GHSA-q4hg-rmq2-52q9 |
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. |
Affected by 1 other vulnerability. |
|
VCID-3cr9-g81m-4ugy
Aliases: CVE-2016-5018 GHSA-4v3g-g84w-hv7r |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. |
Affected by 0 other vulnerabilities. |
|
VCID-3n4t-bvb1-5qer
Aliases: CVE-2016-6796 GHSA-3mjp-p938-4329 |
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. |
Affected by 0 other vulnerabilities. |
|
VCID-3r3s-q21j-c3au
Aliases: CVE-2016-6816 GHSA-jc7p-5r39-9477 |
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. |
Affected by 1 other vulnerability. |
|
VCID-43j2-w5xt-43g9
Aliases: CVE-2024-56337 GHSA-27hp-xhwr-wr2m |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-46bv-6b7y-3bca
Aliases: CVE-2020-11996 GHSA-53hp-jpwq-2jgq |
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-4aaa-errb-2qdw
Aliases: CVE-2019-0232 GHSA-8vmx-qmch-mpqg |
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). |
Affected by 1 other vulnerability. |
|
VCID-4cag-c4pb-dfaz
Aliases: CVE-2025-61795 GHSA-hgrr-935x-pq79 |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4tf3-7f5b-2ffu
Aliases: CVE-2017-7675 GHSA-68g5-8q7f-m384 |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL. |
Affected by 1 other vulnerability. |
|
VCID-5sgv-7nsz-5fa8
Aliases: CVE-2025-24813 GHSA-83qj-6fr2-vhqg |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-66kh-s6cr-tqf9
Aliases: CVE-2020-9484 GHSA-344f-f5vg-2jfj |
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-68fk-4g86-ekbp
Aliases: CVE-2015-5345 GHSA-rh8q-vjgf-gf74 |
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. |
Affected by 0 other vulnerabilities. |
|
VCID-885s-t4dx-dybv
Aliases: CVE-2021-33037 GHSA-4vww-mc66-62m6 |
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-95d1-arxd-hkd1
Aliases: CVE-2016-8735 GHSA-cw54-59pw-4g8c |
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. |
Affected by 1 other vulnerability. |
|
VCID-9exq-fhv6-bbea
Aliases: CVE-2016-0763 GHSA-9hjv-9h75-xmpp |
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. |
Affected by 0 other vulnerabilities. |
|
VCID-9kfe-1esf-uydm
Aliases: CVE-2025-52434 GHSA-4j3c-42xv-3f84 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue. |
Affected by 1 other vulnerability. |
|
VCID-a8gk-n8bq-87cp
Aliases: CVE-2021-24122 GHSA-2rvv-w9r2-rg7m |
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. |
Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-aeeu-fpay-wufz
Aliases: CVE-2018-1336 GHSA-m59c-jpc8-m2x4 |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. |
Affected by 1 other vulnerability. |
|
VCID-arkn-bca7-hqam
Aliases: CVE-2019-0221 GHSA-jjpq-gp5q-8q6w |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. |
Affected by 1 other vulnerability. |
|
VCID-ayrd-8ntf-hkh3
Aliases: CVE-2022-25762 GHSA-h3ch-5pp2-vh6w |
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. |
Affected by 0 other vulnerabilities. |
|
VCID-dzpn-w4b3-vbcm
Aliases: CVE-2019-17563 GHSA-9xcj-c8cr-8c3c |
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. |
Affected by 4 other vulnerabilities. |
|
VCID-eb37-mkxf-7fgw
Aliases: CVE-2020-1938 GHSA-c9hw-wf7x-jp9j |
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. |
Affected by 0 other vulnerabilities. |
|
VCID-enaj-f97c-jbh7
Aliases: CVE-2017-7674 GHSA-73rx-3f9r-x949 |
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. |
Affected by 1 other vulnerability. |
|
VCID-f77q-v5xp-e7dy
Aliases: CVE-2018-11784 GHSA-5q99-f34m-67gc |
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. |
Affected by 0 other vulnerabilities. |
|
VCID-fpgj-82wf-ykbw
Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf |
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-fyfz-6tr5-2fc7
Aliases: CVE-2017-5664 GHSA-jmvv-524f-hj5j |
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. |
Affected by 2 other vulnerabilities. |
|
VCID-g7bk-891a-uufy
Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5 |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. |
Affected by 0 other vulnerabilities. |
|
VCID-gb2v-96xj-ybad
Aliases: CVE-2025-48988 GHSA-h3gc-qfqq-6h8f |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-gvhy-d4gm-57d3
Aliases: CVE-2024-54677 GHSA-653p-vg55-5652 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-gyed-x6s8-ybhr
Aliases: CVE-2026-24880 GHSA-563x-q5rq-57qp |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
|
VCID-hmbm-5ysw-77bu
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. |
Affected by 3 other vulnerabilities. |
|
VCID-hves-r5bg-yfes
Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq |
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. |
Affected by 1 other vulnerability. |
|
VCID-k59r-wjt3-wqe5
Aliases: CVE-2025-52520 GHSA-wr62-c79q-cv37 |
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-kagr-74d9-kyhx
Aliases: CVE-2016-0762 GHSA-wxcp-f2c8-x6xv |
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. |
Affected by 0 other vulnerabilities. |
|
VCID-kukv-k3z7-7fgs
Aliases: CVE-2025-31651 GHSA-ff77-26x5-69cr |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-kwab-3s4q-eka4
Aliases: CVE-2021-30640 GHSA-36qh-35cm-5w2w |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-kyb8-rvyw-s7b1
Aliases: CVE-2015-5346 GHSA-jrcp-c39h-r29x |
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. |
Affected by 0 other vulnerabilities. |
|
VCID-m1zd-uytj-3bej
Aliases: CVE-2017-5647 GHSA-3gv7-3h64-78cm |
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. |
Affected by 0 other vulnerabilities. |
|
VCID-m2zn-ja8d-7kg8
Aliases: CVE-2018-8034 GHSA-46j3-r4pj-4835 |
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. |
Affected by 0 other vulnerabilities. |
|
VCID-maw6-4qs5-ykae
Aliases: CVE-2025-66614 GHSA-fpj8-gq4v-p354 |
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-n3ab-nk7c-hqc9
Aliases: CVE-2021-25329 GHSA-jgwr-3qm3-26f3 |
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-n3zn-tuck-gkfe
Aliases: CVE-2018-8014 GHSA-r4x2-3cq5-hqvp |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. |
Affected by 2 other vulnerabilities. |
|
VCID-nvbx-q971-skgm
Aliases: CVE-2020-13935 GHSA-m7jv-hq7h-mq7c |
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-pqxe-tfhk-47b7
Aliases: CVE-2016-3092 GHSA-fvm3-cfvj-gxqq |
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. |
Affected by 0 other vulnerabilities. |
|
VCID-ruuh-g3fa-m7d8
Aliases: CVE-2019-12418 GHSA-hh3j-x4mc-g48r |
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. |
Affected by 1 other vulnerability. |
|
VCID-sr8e-w1qk-r7fz
Aliases: CVE-2025-46701 GHSA-h2fw-rfh5-95r3 |
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-t2ne-75ck-eqcr
Aliases: CVE-2021-25122 GHSA-j39c-c8hj-x4j3 |
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-tfrs-d458-tfaq
Aliases: CVE-2016-0714 GHSA-mv42-px54-87jw |
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. |
Affected by 0 other vulnerabilities. |
|
VCID-u3ck-cvgt-fuhd
Aliases: CVE-2017-5650 GHSA-9785-w233-x6hv |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. |
Affected by 0 other vulnerabilities. |
|
VCID-v8ku-sjc8-wfga
Aliases: CVE-2024-50379 GHSA-5j33-cvvr-w245 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-vdnj-sqmx-e3ep
Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5 |
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. |
Affected by 1 other vulnerability. |
|
VCID-vhjj-dnft-kkf4
Aliases: CVE-2015-5351 GHSA-w7cg-5969-678w |
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. |
Affected by 0 other vulnerabilities. |
|
VCID-wbaq-j85q-y3c6
Aliases: CVE-2019-0199 GHSA-qcxh-w3j9-58qr |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. |
Affected by 0 other vulnerabilities. |
|
VCID-wgsc-dnn1-ukeq
Aliases: CVE-2020-13943 GHSA-f268-65qc-98vg |
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xf8r-kqxb-7qdy
Aliases: CVE-2016-6797 GHSA-q6x7-f33r-3wxx |
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. |
Affected by 0 other vulnerabilities. |
|
VCID-y9ne-rw7e-vugf
Aliases: CVE-2026-24733 GHSA-qq5r-98hh-rxc9 |
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-yfx4-4gsc-2kgh
Aliases: CVE-2020-1935 GHSA-qxf4-chvg-4r8r |
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. |
Affected by 0 other vulnerabilities. |
|
VCID-yxpq-rrry-j3h8
Aliases: CVE-2016-6817 GHSA-698c-2x4j-g9gq |
The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-10T00:03:27.468139+00:00 | Apache Tomcat Importer | Affected by | VCID-gyed-x6s8-ybhr | https://tomcat.apache.org/security-9.html | 38.1.0 |
| 2026-04-01T12:38:09.907416+00:00 | Apache Tomcat Importer | Affected by | VCID-tfrs-d458-tfaq | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.877416+00:00 | Apache Tomcat Importer | Affected by | VCID-1k8f-vsg1-k3d6 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.848774+00:00 | Apache Tomcat Importer | Affected by | VCID-vhjj-dnft-kkf4 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.818936+00:00 | Apache Tomcat Importer | Affected by | VCID-kyb8-rvyw-s7b1 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.787694+00:00 | Apache Tomcat Importer | Affected by | VCID-68fk-4g86-ekbp | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.752240+00:00 | Apache Tomcat Importer | Affected by | VCID-9exq-fhv6-bbea | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.720817+00:00 | Apache Tomcat Importer | Affected by | VCID-pqxe-tfhk-47b7 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.688638+00:00 | Apache Tomcat Importer | Affected by | VCID-kagr-74d9-kyhx | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.655171+00:00 | Apache Tomcat Importer | Affected by | VCID-3cr9-g81m-4ugy | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.623184+00:00 | Apache Tomcat Importer | Affected by | VCID-18q4-zark-s7a7 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.590313+00:00 | Apache Tomcat Importer | Affected by | VCID-3n4t-bvb1-5qer | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.556160+00:00 | Apache Tomcat Importer | Affected by | VCID-xf8r-kqxb-7qdy | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.523852+00:00 | Apache Tomcat Importer | Affected by | VCID-3r3s-q21j-c3au | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.491656+00:00 | Apache Tomcat Importer | Affected by | VCID-yxpq-rrry-j3h8 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.459019+00:00 | Apache Tomcat Importer | Affected by | VCID-95d1-arxd-hkd1 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.425171+00:00 | Apache Tomcat Importer | Affected by | VCID-hves-r5bg-yfes | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.365411+00:00 | Apache Tomcat Importer | Affected by | VCID-hmbm-5ysw-77bu | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.333447+00:00 | Apache Tomcat Importer | Affected by | VCID-m1zd-uytj-3bej | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.301007+00:00 | Apache Tomcat Importer | Affected by | VCID-u3ck-cvgt-fuhd | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.268611+00:00 | Apache Tomcat Importer | Affected by | VCID-1hdb-24e3-f3d6 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.236375+00:00 | Apache Tomcat Importer | Affected by | VCID-fyfz-6tr5-2fc7 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.203517+00:00 | Apache Tomcat Importer | Affected by | VCID-enaj-f97c-jbh7 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.175377+00:00 | Apache Tomcat Importer | Affected by | VCID-4tf3-7f5b-2ffu | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.145840+00:00 | Apache Tomcat Importer | Affected by | VCID-vdnj-sqmx-e3ep | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.070134+00:00 | Apache Tomcat Importer | Affected by | VCID-2sbh-sy57-3uez | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.036389+00:00 | Apache Tomcat Importer | Affected by | VCID-g7bk-891a-uufy | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:09.003223+00:00 | Apache Tomcat Importer | Affected by | VCID-aeeu-fpay-wufz | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.971033+00:00 | Apache Tomcat Importer | Affected by | VCID-n3zn-tuck-gkfe | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.899900+00:00 | Apache Tomcat Importer | Affected by | VCID-m2zn-ja8d-7kg8 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.866833+00:00 | Apache Tomcat Importer | Affected by | VCID-f77q-v5xp-e7dy | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.826837+00:00 | Apache Tomcat Importer | Affected by | VCID-wbaq-j85q-y3c6 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.781990+00:00 | Apache Tomcat Importer | Affected by | VCID-arkn-bca7-hqam | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.752305+00:00 | Apache Tomcat Importer | Affected by | VCID-4aaa-errb-2qdw | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.721991+00:00 | Apache Tomcat Importer | Affected by | VCID-39e3-jfbg-s3hk | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.688298+00:00 | Apache Tomcat Importer | Affected by | VCID-ayrd-8ntf-hkh3 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.656894+00:00 | Apache Tomcat Importer | Affected by | VCID-ruuh-g3fa-m7d8 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.628526+00:00 | Apache Tomcat Importer | Affected by | VCID-dzpn-w4b3-vbcm | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.570065+00:00 | Apache Tomcat Importer | Affected by | VCID-yfx4-4gsc-2kgh | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.520218+00:00 | Apache Tomcat Importer | Affected by | VCID-eb37-mkxf-7fgw | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.450875+00:00 | Apache Tomcat Importer | Affected by | VCID-46bv-6b7y-3bca | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.391911+00:00 | Apache Tomcat Importer | Affected by | VCID-nvbx-q971-skgm | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.366365+00:00 | Apache Tomcat Importer | Affected by | VCID-wgsc-dnn1-ukeq | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.312483+00:00 | Apache Tomcat Importer | Affected by | VCID-a8gk-n8bq-87cp | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.286114+00:00 | Apache Tomcat Importer | Affected by | VCID-t2ne-75ck-eqcr | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.258568+00:00 | Apache Tomcat Importer | Affected by | VCID-n3ab-nk7c-hqc9 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.231666+00:00 | Apache Tomcat Importer | Affected by | VCID-66kh-s6cr-tqf9 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.118798+00:00 | Apache Tomcat Importer | Affected by | VCID-kwab-3s4q-eka4 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.077633+00:00 | Apache Tomcat Importer | Affected by | VCID-885s-t4dx-dybv | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.335680+00:00 | Apache Tomcat Importer | Affected by | VCID-v8ku-sjc8-wfga | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.295588+00:00 | Apache Tomcat Importer | Affected by | VCID-gvhy-d4gm-57d3 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.254279+00:00 | Apache Tomcat Importer | Affected by | VCID-43j2-w5xt-43g9 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.224217+00:00 | Apache Tomcat Importer | Affected by | VCID-5sgv-7nsz-5fa8 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.158157+00:00 | Apache Tomcat Importer | Affected by | VCID-kukv-k3z7-7fgs | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.125949+00:00 | Apache Tomcat Importer | Affected by | VCID-sr8e-w1qk-r7fz | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.096228+00:00 | Apache Tomcat Importer | Affected by | VCID-2x6a-3gh1-rkhs | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.064312+00:00 | Apache Tomcat Importer | Affected by | VCID-gb2v-96xj-ybad | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:07.006642+00:00 | Apache Tomcat Importer | Affected by | VCID-246u-a4rh-yyd4 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.976294+00:00 | Apache Tomcat Importer | Affected by | VCID-2kku-pzer-9ufv | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.945633+00:00 | Apache Tomcat Importer | Affected by | VCID-fpgj-82wf-ykbw | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.913758+00:00 | Apache Tomcat Importer | Affected by | VCID-k59r-wjt3-wqe5 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.884420+00:00 | Apache Tomcat Importer | Affected by | VCID-9kfe-1esf-uydm | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.855716+00:00 | Apache Tomcat Importer | Affected by | VCID-1e6p-cppr-2bh2 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.764327+00:00 | Apache Tomcat Importer | Affected by | VCID-4cag-c4pb-dfaz | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.731992+00:00 | Apache Tomcat Importer | Affected by | VCID-maw6-4qs5-ykae | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:06.698050+00:00 | Apache Tomcat Importer | Affected by | VCID-y9ne-rw7e-vugf | https://tomcat.apache.org/security-9.html | 38.0.0 |