Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.apache.tomcat/tomcat@9.0.76
purl pkg:maven/org.apache.tomcat/tomcat@9.0.76
Next non-vulnerable version 9.0.117
Latest non-vulnerable version 11.0.21
Risk 10.0
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-2zq1-na8s-mfdd
Aliases:
CVE-2025-31650
GHSA-3p2h-wqq4-wf4h
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
9.0.104
Affected by 2 other vulnerabilities.
10.1.40
Affected by 2 other vulnerabilities.
11.0.6
Affected by 2 other vulnerabilities.
VCID-6kcx-vptm-zbds
Aliases:
CVE-2023-42794
GHSA-jm7m-8jh6-29hp
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
9.0.81
Affected by 1 other vulnerability.
VCID-b3bb-9ajg-sfc9
Aliases:
CVE-2023-46589
GHSA-fccv-jmmp-qg76
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
9.0.83
Affected by 2 other vulnerabilities.
10.1.16
Affected by 1 other vulnerability.
11.0.0-M11
Affected by 4 other vulnerabilities.
11.0.1
Affected by 4 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-12T00:03:49.612901+00:00 GitLab Importer Affected by VCID-b3bb-9ajg-sfc9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml 38.3.0
2026-04-11T23:59:51.043934+00:00 GitLab Importer Affected by VCID-6kcx-vptm-zbds https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-42794.yml 38.3.0
2026-04-03T00:08:30.258078+00:00 GitLab Importer Affected by VCID-b3bb-9ajg-sfc9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml 38.1.0
2026-04-03T00:02:54.613571+00:00 GitLab Importer Affected by VCID-6kcx-vptm-zbds https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-42794.yml 38.1.0
2026-04-01T12:38:07.205636+00:00 Apache Tomcat Importer Affected by VCID-2zq1-na8s-mfdd https://tomcat.apache.org/security-9.html 38.0.0