Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.apache.tomcat/tomcat@6.0.47
purl pkg:maven/org.apache.tomcat/tomcat@6.0.47
Tags Ghost
Next non-vulnerable version 9.0.117
Latest non-vulnerable version 11.0.21
Risk 10.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-3r3s-q21j-c3au
Aliases:
CVE-2016-6816
GHSA-jc7p-5r39-9477
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
6.0.48
Affected by 1 other vulnerability.
7.0.73
Affected by 20 other vulnerabilities.
8.0.39
Affected by 11 other vulnerabilities.
8.5.8
Affected by 34 other vulnerabilities.
9.0.0.M12
Affected by 0 other vulnerabilities.
9.0.0.M13
Affected by 14 other vulnerabilities.
VCID-95d1-arxd-hkd1
Aliases:
CVE-2016-8735
GHSA-cw54-59pw-4g8c
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
6.0.48
Affected by 1 other vulnerability.
7.0.73
Affected by 20 other vulnerabilities.
8.0.39
Affected by 11 other vulnerabilities.
8.5.7
Affected by 2 other vulnerabilities.
8.5.8
Affected by 34 other vulnerabilities.
9.0.0.M12
Affected by 0 other vulnerabilities.
9.0.0.M13
Affected by 14 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:00:50.913826+00:00 GHSA Importer Fixing VCID-18q4-zark-s7a7 https://github.com/advisories/GHSA-2rvf-329f-p99g 38.0.0
2026-04-01T13:11:25.140198+00:00 GithubOSV Importer Fixing VCID-18q4-zark-s7a7 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2rvf-329f-p99g/GHSA-2rvf-329f-p99g.json 38.0.0
2026-04-01T12:50:05.575699+00:00 GitLab Importer Fixing VCID-18q4-zark-s7a7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2016-6794.yml 38.0.0
2026-04-01T12:38:16.226050+00:00 Apache Tomcat Importer Fixing VCID-kagr-74d9-kyhx https://tomcat.apache.org/security-6.html 38.0.0
2026-04-01T12:38:16.194766+00:00 Apache Tomcat Importer Fixing VCID-3cr9-g81m-4ugy https://tomcat.apache.org/security-6.html 38.0.0
2026-04-01T12:38:16.163986+00:00 Apache Tomcat Importer Fixing VCID-18q4-zark-s7a7 https://tomcat.apache.org/security-6.html 38.0.0
2026-04-01T12:38:16.135910+00:00 Apache Tomcat Importer Fixing VCID-3n4t-bvb1-5qer https://tomcat.apache.org/security-6.html 38.0.0
2026-04-01T12:38:16.105432+00:00 Apache Tomcat Importer Fixing VCID-xf8r-kqxb-7qdy https://tomcat.apache.org/security-6.html 38.0.0
2026-04-01T12:38:16.074135+00:00 Apache Tomcat Importer Affected by VCID-3r3s-q21j-c3au https://tomcat.apache.org/security-6.html 38.0.0
2026-04-01T12:38:16.046711+00:00 Apache Tomcat Importer Affected by VCID-95d1-arxd-hkd1 https://tomcat.apache.org/security-6.html 38.0.0