Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Apache Tomcat — Vulnerabilities & Security Advisories 110

All 110 CVE vulnerabilities found in Apache Tomcat, with AI-generated Chinese analysis, references, and POCs.

This page catalogues Common Weakness Enumerations associated with Apache Tomcat, a widely used open-source HTTP server and servlet container developed by the Apache Software Foundation. It aggregates a comprehensive range of security flaws, including cross-site scripting, remote code execution, information disclosure, and improper access control issues, covering vulnerability reports from the software’s inception through the most recent critical updates. By consulting this resource, users can systematically track vendor advisories and security patches issued by the Apache community, gain a deeper understanding of how specific weakness classes manifest within servlet container environments, and review the historical trend of vulnerabilities to assess the long-term security posture and remediation effectiveness of the product. The data is organized to facilitate efficient searching and analysis, allowing security professionals to identify patterns, evaluate risk exposure across different versions, and prioritize mitigation strategies based on verified incident data. This collection serves as a central reference point for developers, system administrators, and security analysts seeking to maintain the integrity and confidentiality of systems reliant on Apache Tomcat infrastructure.

Vendor: Apache Software Foundation

CVE IDTitleCVSSSeverityPublished
CVE-2026-43515 Apache Tomcat: Security constraints not correctly applied CWE-285--2026-05-12
CVE-2026-43514 Apache Tomcat: AJP secret compared in non-constant time CWE-208--2026-05-12
CVE-2026-43513 Apache Tomcat: LockOutRealm treats user names as case-sensitive CWE-178--2026-05-12
CVE-2026-43512 Apache Tomcat: Digest authenticator will authenticate any unknown user CWE-592--2026-05-12
CVE-2026-41293 Apache Tomcat: HTTP/2 request headers not validated CWE-20--2026-05-12
CVE-2026-42498 Apache Tomcat: WebSocket authentication header exposure CWE-200--2026-05-12
CVE-2026-41284 Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling CWE-770--2026-05-12
CVE-2026-34500 Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled 8.1AIHighAI2026-04-09
CVE-2026-34487 Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token CWE-532 7.5AIHighAI2026-04-09
CVE-2026-34486 Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor CWE-311 7.5AIHighAI2026-04-09
CVE-2026-34483 Apache Tomcat: Incomplete escaping of JSON access logs CWE-116 9.8AICriticalAI2026-04-09
CVE-2026-32990 Apache Tomcat: Fix for CVE-2025-66614 is incomplete CWE-20 9.1AICriticalAI2026-04-09
CVE-2026-29146 Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default 9.1AICriticalAI2026-04-09
CVE-2026-29145 Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled 9.8AICriticalAI2026-04-09
CVE-2026-29129 Apache Tomcat: TLS cipher order is not preserved 7.5AIHighAI2026-04-09
CVE-2026-25854 Apache Tomcat: Occasionally open redirect CWE-601 6.1AIMediumAI2026-04-09
CVE-2026-24880 Apache Tomcat: Request smuggling via invalid chunk extension CWE-444 9.1AICriticalAI2026-04-09
CVE-2026-24733 Apache Tomcat: Security constraint bypass with HTTP/0.9 CWE-20 7.5AIHighAI2026-02-17
CVE-2025-66614 Apache Tomcat: Client certificate verification bypass due to virtual host mapping CWE-20 9.8AICriticalAI2026-02-17
CVE-2025-61795 Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS CWE-404 7.5 -2025-10-27
CVE-2025-55752 Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled CWE-23 9.8AICriticalAI2025-10-27
CVE-2025-55754 Apache Tomcat: console manipulation via escape sequences in log messages CWE-150 8.8 -2025-10-27
CVE-2025-55668 Apache Tomcat: session fixation via rewrite valve CWE-384 9.8 -2025-08-13
CVE-2025-48989 Apache Tomcat: h2 DoS - Made You Reset CWE-404 7.5AIHighAI2025-08-13
CVE-2025-53506 Apache Tomcat: DoS via excessive h2 streams at connection start CWE-400 7.5 -2025-07-10
CVE-2025-52520 Apache Tomcat: DoS via integer overflow in multipart file upload CWE-190 7.5 -2025-07-10
CVE-2025-52434 Apache Tomcat: APR/Native Connector crash leading to DoS CWE-362 8.1 -2025-07-10
CVE-2025-49124 Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows CWE-426 7.8AIHighAI2025-06-16
CVE-2025-49125 Apache Tomcat: Security constraint bypass for pre/post-resources CWE-288 9.1 -2025-06-16
CVE-2025-48988 Apache Tomcat: FileUpload large number of parts with headers DoS CWE-770 7.5 -2025-06-16

All 110 known CVE vulnerabilities affecting Apache Tomcat with full Chinese analysis, references, and POCs where available.