Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-yrzk-1dbk-muhy
Vulnerability ID VCID-yrzk-1dbk-muhy
Aliases CVE-2026-29146
GHSA-h468-7pvh-8vr8
Summary
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-209 Generation of Error Message Containing Sensitive Information
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29146.json
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-29146
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-29146
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-29146
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29146
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-h468-7pvh-8vr8
cvssv3.1 7.5 https://github.com/apache/tomcat
cvssv4 8.7 https://github.com/apache/tomcat
generic_textual HIGH https://github.com/apache/tomcat
cvssv3.1 7.5 https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
cvssv4 8.7 https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
generic_textual HIGH https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
ssvc Track https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-29146
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2026-29146
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-29146
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2026/04/09/24
cvssv4 8.7 http://www.openwall.com/lists/oss-security/2026/04/09/24
generic_textual HIGH http://www.openwall.com/lists/oss-security/2026/04/09/24
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29146.json
https://api.first.org/data/v1/epss?cve=CVE-2026-29146
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/0112ed22abfccc3d54e44d91eb08804d0886acd1
https://github.com/apache/tomcat/commit/1fab40ccc752e22639eccfe290d5624afad7eccd
https://github.com/apache/tomcat/commit/55f3eb9148233054fccfdf761141c6894a050be1
https://github.com/apache/tomcat/commit/607ebc0fa522bd9e8c05517baa2d179bbd1e659c
https://github.com/apache/tomcat/commit/6d955cceca841f2eabf2d6c46b59a8c7e1cd6eaa
https://github.com/apache/tomcat/commit/776e12b3e2b0b4507b8a3b62c187ceb0b74bf418
https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
https://nvd.nist.gov/vuln/detail/CVE-2026-29146
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
http://www.openwall.com/lists/oss-security/2026/04/09/24
1133356 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133356
1133357 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133357
2457020 https://bugzilla.redhat.com/show_bug.cgi?id=2457020
CVE-2026-29146 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29146
CVE-2026-29146 https://www.herodevs.com/vulnerability-directory/cve-2026-29146
GHSA-h468-7pvh-8vr8 https://github.com/advisories/GHSA-h468-7pvh-8vr8
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29146.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:17:02Z/ Found at https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-29146
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-29146
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2026/04/09/24
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at http://www.openwall.com/lists/oss-security/2026/04/09/24
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.08877
EPSS Score 0.00031
Published At April 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-10T00:03:25.832211+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-11.html 38.1.0