Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-241m-q6vd-kudk
Vulnerability ID VCID-241m-q6vd-kudk
Aliases CVE-2011-2526
GHSA-9ggm-7897-x4mg
Summary Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://marc.info/?l=bugtraq&m=132215163318824&w=2
generic_textual MODERATE http://marc.info/?l=bugtraq&m=133469267822771&w=2
generic_textual MODERATE http://marc.info/?l=bugtraq&m=136485229118404&w=2
generic_textual MODERATE http://marc.info/?l=bugtraq&m=139344343412337&w=2
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2012:0074
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2012:0075
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2012:0076
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2011-2526
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=720948
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/68541
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-9ggm-7897-x4mg
generic_textual MODERATE https://github.com/apache/tomcat55/commit/e67f6882118f2a8285e4e8acd050dad64a3ef3e4
generic_textual MODERATE https://github.com/apache/tomcat/commit/1d372c881eafd9ffe729996f8560fd5fe50cd39d
generic_textual MODERATE https://github.com/apache/tomcat/commit/2e69497fa7b1444632c6dadb64a4a82e18478ee6
generic_textual MODERATE https://github.com/apache/tomcat/commit/48dded4ab1209a030770ab67a789d3b2528b6329
generic_textual MODERATE https://github.com/apache/tomcat/commit/ff8789737a0a64c12d68929497f16d8021052048
generic_textual MODERATE https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2011-2526
generic_textual MODERATE https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14573
generic_textual MODERATE https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19514
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1145383
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1145571
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1145694
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1146005
generic_textual MODERATE https://web.archive.org/web/20110717104325/http://www.securityfocus.com/bid/48667
generic_textual MODERATE https://web.archive.org/web/20111110135231/http://www.securityfocus.com/archive/1/518889/100/0/threaded
generic_textual MODERATE https://web.archive.org/web/20121025191346/http://secunia.com/advisories/45232
generic_textual MODERATE https://web.archive.org/web/20140802025928/http://secunia.com/advisories/48308
generic_textual MODERATE https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126
generic_textual MODERATE https://web.archive.org/web/20160101172212/http://rhn.redhat.com/errata/RHSA-2012-0078.html
generic_textual MODERATE https://web.archive.org/web/20160101172638/http://rhn.redhat.com/errata/RHSA-2012-0077.html
generic_textual MODERATE https://web.archive.org/web/20160101195415/http://rhn.redhat.com/errata/RHSA-2012-0325.html
generic_textual MODERATE https://web.archive.org/web/20161107143207/http://www.securitytracker.com/id?1025788
generic_textual MODERATE http://tomcat.apache.org/security-5.html
generic_textual MODERATE http://tomcat.apache.org/security-6.html
generic_textual MODERATE http://tomcat.apache.org/security-7.html
generic_textual MODERATE http://www.debian.org/security/2012/dsa-2401
generic_textual MODERATE http://www.mandriva.com/security/advisories?name=MDVSA-2011:156
Reference id Reference type URL
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=133469267822771&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://rhn.redhat.com/errata/RHSA-2012-0074.html
http://rhn.redhat.com/errata/RHSA-2012-0075.html
http://rhn.redhat.com/errata/RHSA-2012-0076.html
https://access.redhat.com/errata/RHSA-2012:0074
https://access.redhat.com/errata/RHSA-2012:0075
https://access.redhat.com/errata/RHSA-2012:0076
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2526.json
https://api.first.org/data/v1/epss?cve=CVE-2011-2526
https://bugzilla.redhat.com/show_bug.cgi?id=720948
https://exchange.xforce.ibmcloud.com/vulnerabilities/68541
https://github.com/apache/tomcat55/commit/e67f6882118f2a8285e4e8acd050dad64a3ef3e4
https://github.com/apache/tomcat/commit/1d372c881eafd9ffe729996f8560fd5fe50cd39d
https://github.com/apache/tomcat/commit/2e69497fa7b1444632c6dadb64a4a82e18478ee6
https://github.com/apache/tomcat/commit/48dded4ab1209a030770ab67a789d3b2528b6329
https://github.com/apache/tomcat/commit/ff8789737a0a64c12d68929497f16d8021052048
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14573
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19514
https://svn.apache.org/viewvc?view=rev&rev=1145383
https://svn.apache.org/viewvc?view=rev&rev=1145489
https://svn.apache.org/viewvc?view=rev&rev=1145571
https://svn.apache.org/viewvc?view=rev&rev=1145694
https://svn.apache.org/viewvc?view=rev&rev=1146005
https://svn.apache.org/viewvc?view=rev&rev=1146703
https://svn.apache.org/viewvc?view=rev&rev=1158244
http://svn.apache.org/viewvc?view=revision&revision=1145383
http://svn.apache.org/viewvc?view=revision&revision=1145571
http://svn.apache.org/viewvc?view=revision&revision=1145694
http://svn.apache.org/viewvc?view=revision&revision=1146005
https://web.archive.org/web/20110717104325/http://www.securityfocus.com/bid/48667
https://web.archive.org/web/20111110135231/http://www.securityfocus.com/archive/1/518889/100/0/threaded
https://web.archive.org/web/20121025191346/http://secunia.com/advisories/45232
https://web.archive.org/web/20140802025928/http://secunia.com/advisories/48308
https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126
https://web.archive.org/web/20160101172212/http://rhn.redhat.com/errata/RHSA-2012-0078.html
https://web.archive.org/web/20160101172638/http://rhn.redhat.com/errata/RHSA-2012-0077.html
https://web.archive.org/web/20160101195415/http://rhn.redhat.com/errata/RHSA-2012-0325.html
https://web.archive.org/web/20161107143207/http://www.securitytracker.com/id?1025788
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://www.debian.org/security/2012/dsa-2401
http://www.mandriva.com/security/advisories?name=MDVSA-2011:156
CVE-2011-2526 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526
CVE-2011-2526 https://nvd.nist.gov/vuln/detail/CVE-2011-2526
GHSA-9ggm-7897-x4mg https://github.com/advisories/GHSA-9ggm-7897-x4mg
GLSA-201206-24 https://security.gentoo.org/glsa/201206-24
RHSA-2011:1780 https://access.redhat.com/errata/RHSA-2011:1780
RHSA-2012:0041 https://access.redhat.com/errata/RHSA-2012:0041
RHSA-2012:0077 https://access.redhat.com/errata/RHSA-2012:0077
RHSA-2012:0078 https://access.redhat.com/errata/RHSA-2012:0078
RHSA-2012:0091 https://access.redhat.com/errata/RHSA-2012:0091
RHSA-2012:0325 https://access.redhat.com/errata/RHSA-2012:0325
RHSA-2012:0679 https://access.redhat.com/errata/RHSA-2012:0679
RHSA-2012:0680 https://access.redhat.com/errata/RHSA-2012:0680
RHSA-2012:0681 https://access.redhat.com/errata/RHSA-2012:0681
RHSA-2012:0682 https://access.redhat.com/errata/RHSA-2012:0682
USN-1252-1 https://usn.ubuntu.com/1252-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.32384
EPSS Score 0.0013
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:15.528215+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-7.html 38.0.0