org.apache.tomcat:tomcat
Maven158 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.tomcat:tomcatpage 4 of 4
- CVE-2026-34487HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.212026-04-09
vulnerable: 11.0.0 ... 11.0.9 (41 versions)
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 1…
- CVE-2026-41284HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versi…
- CVE-2026-41293CRITICALCVSS 9.8EG 9.8✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of suppo…
- CVE-2026-42498HIGHCVSS 7.3EG 7.3✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 throug…
- CVE-2026-43512CRITICALCVSS 9.8EG 9.8✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 …
- CVE-2026-43513HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.…
- CVE-2026-43514LOWCVSS 3.7EG 3.7✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8…
- CVE-2026-43515CRITICALCVSS 9.1EG 9.1✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.…
Check whether org.apache.tomcat:tomcat is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.tomcat:tomcat CVEs against the assets you own.
Start Free Scan →