org.apache.tomcat.embed:tomcat-embed-core
Maven69 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.tomcat.embed:tomcat-embed-corepage 2 of 2
- CVE-2025-55752HIGHCVSS 7.5EG 7.52025-10-27
vulnerable: 8.5.100 ... 8.5.99 (80 versions)
Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that r…
- CVE-2025-55754CRITICALCVSS 9.6EG 9.62025-10-27
vulnerable: 8.5.100 ... 8.5.99 (37 versions)
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console s…
- CVE-2025-61795MEDIUMCVSS 5.3EG 5.32025-10-27
vulnerable: 8.5.0 ... 8.5.99 (85 versions)
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned u…
- CVE-2025-66614CRITICALCVSS 9.1EG 9.1✓ Fixed in 11.0.152026-02-17
vulnerable: 11.0.0 ... 11.0.9 (38 versions)
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but…
- CVE-2026-24733LOWCVSS 3.7EG 3.7✓ Fixed in 11.0.152026-02-17
vulnerable: 11.0.0 ... 11.0.9 (38 versions)
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass th…
- CVE-2026-24734HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.182026-02-17
vulnerable: 11.0.0 ... 11.0.9 (39 versions)
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP re…
- CVE-2026-24880HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.202026-04-09
vulnerable: 11.0.0 ... 11.0.9 (40 versions)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52,…
- CVE-2026-25854MEDIUMCVSS 6.1EG 6.1✓ Fixed in 11.0.202026-04-09
vulnerable: 11.0.0 ... 11.0.9 (40 versions)
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.…
- CVE-2026-29129HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.202026-04-09
vulnerable: 11.0.18
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade…
- CVE-2026-32990MEDIUMCVSS 5.3EG 5.3✓ Fixed in 11.0.202026-04-09
vulnerable: 11.0.15, 11.0.18
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are re…
- CVE-2026-34483HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.212026-04-09
vulnerable: 11.0.0 ... 11.0.9 (41 versions)
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Us…
- CVE-2026-34487HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.212026-04-09
vulnerable: 11.0.0 ... 11.0.9 (41 versions)
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 1…
- CVE-2026-41284HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versi…
- CVE-2026-41293CRITICALCVSS 9.8EG 9.8✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of suppo…
- CVE-2026-42498HIGHCVSS 7.3EG 7.3✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 throug…
- CVE-2026-43512CRITICALCVSS 9.8EG 9.8✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 …
- CVE-2026-43513HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.…
- CVE-2026-43514LOWCVSS 3.7EG 3.7✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8…
- CVE-2026-43515CRITICALCVSS 9.1EG 9.1✓ Fixed in 11.0.222026-05-12
vulnerable: 11.0.0 ... 11.0.9 (42 versions)
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.…
Check whether org.apache.tomcat.embed:tomcat-embed-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.tomcat.embed:tomcat-embed-core CVEs against the assets you own.
Start Free Scan →