Search for vulnerabilities
| Vulnerability ID | VCID-su1y-2bxh-9qe2 |
| Aliases |
CVE-2007-3386
|
| Summary | Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action. |
| Status | Published |
| Exploitability | 2.0 |
| Weighted Severity | 2.7 |
| Risk | 5.4 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.69959 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| epss | 0.73782 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| epss | 0.73782 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| epss | 0.73782 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| epss | 0.73782 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| epss | 0.73782 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| epss | 0.73782 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| epss | 0.73782 | https://api.first.org/data/v1/epss?cve=CVE-2007-3386 |
| apache_tomcat | Low | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 |
| Reference id | Reference type | URL |
|---|---|---|
| https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-3386.json | ||
| https://api.first.org/data/v1/epss?cve=CVE-2007-3386 | ||
| 247994 | https://bugzilla.redhat.com/show_bug.cgi?id=247994 | |
| CVE-2007-3386 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 | |
| CVE-2007-3386;OSVDB-36417 | Exploit | https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/30495.html |
| CVE-2007-3386;OSVDB-36417 | Exploit | https://www.securityfocus.com/bid/25314/info |
| RHSA-2007:0871 | https://access.redhat.com/errata/RHSA-2007:0871 | |
| RHSA-2007:0876 | https://access.redhat.com/errata/RHSA-2007:0876 |
| Data source | Exploit-DB |
|---|---|
| Date added | Aug. 14, 2007 |
| Description | Apache Tomcat 6.0.13 - Host Manager Servlet Cross-Site Scripting |
| Ransomware campaign use | Known |
| Source publication date | Aug. 14, 2007 |
| Exploit type | remote |
| Platform | multiple |
| Source update date | Dec. 25, 2013 |
| Source URL | https://www.securityfocus.com/bid/25314/info |
| Percentile | 0.98657 |
| EPSS Score | 0.69959 |
| Published At | April 1, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-01T12:38:17.935556+00:00 | Apache Tomcat Importer | Import | https://tomcat.apache.org/security-6.html | 38.0.0 |