CRITICAL9.8CVE-2025-24813⚠ KEVApache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT from 0, < 9.0.43-2~deb11u12
CRITICAL9.8CVE-2025-24813⚠ KEVApache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT from 0, < 9.0.43-2~deb11u12
CRITICAL9.8CVE-2020-1938⚠ KEVImproper Privilege Management in Tomcat from 0, < 9.0.31-1
from 0, < 9.0.43-2~deb11u7
CRITICAL9.8CVE-2026-41293Apache Tomcat - HTTP/2 request headers not validated from 0, < 9.0.70-2
CRITICAL9.8CVE-2026-43512Apache Tomcat - Digest authenticator will authenticate any unknown user from 0, < 9.0.70-2
CRITICAL9.8CVE-2025-31651Apache Tomcat: Bypass of rules in Rewrite Valve from 0, < 9.0.107-0+deb11u1
CRITICAL9.8CVE-2024-56337Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete from 0, < 9.0.43-2~deb11u11
CRITICAL9.8CVE-2024-50379Apache Tomcat: RCE due to TOCTOU issue in JSP compilation from 0, < 9.0.43-2~deb11u11
CRITICAL9.8CVE-2024-52316Apache Tomcat: Authentication bypass when using Jakarta Authentication API from 0, < 9.0.43-2~deb11u11
CRITICAL9.6CVE-2025-55754Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences from 0, < 9.0.107-0+deb11u2
CRITICAL9.1CVE-2026-43515Apache Tomcat - Security constraints not correctly applied from 0, < 9.0.70-2
CRITICAL9.1CVE-2026-29145Apache Tomcat: CLIENT_CERT authentication does not fail as expected from 0, < 9.0.70-2
CRITICAL9.1CVE-2025-66614Apache Tomcat: Client certificate verification bypass due to virtual host mapping from 0, < 9.0.70-2
from 0, < 9.0.43-2~deb11u11
HIGH8.6CVE-2022-25762Response mix-up with WebSocket concurrent send and close from 0, < 9.0.22-1
HIGH7.5CVE-2026-41284Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling from 0, < 9.0.70-2
HIGH7.5CVE-2026-43513Apache Tomcat: LockOutRealm treats user names as case-sensitive from 0, < 9.0.70-2
HIGH7.5CVE-2026-34483Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve from 0, < 9.0.70-2
HIGH7.5CVE-2026-34487Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token from 0, < 9.0.70-2
HIGH7.5CVE-2026-29129Apache Tomcat: Configured cipher preference order not preserved from 0, < 9.0.70-2
HIGH7.5CVE-2026-24880Apache Tomcat has an HTTP Request/Response Smuggling vulnerability from 0, < 9.0.70-2
HIGH7.5CVE-2026-29146Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor from 0, < 9.0.70-2
HIGH7.5CVE-2026-24734Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass from 0, < 9.0.70-2
HIGH7.5CVE-2025-55752Apache Tomcat Vulnerable to Relative Path Traversal from 0, < 9.0.107-0+deb11u2
HIGH7.5CVE-2025-55752Apache Tomcat Vulnerable to Relative Path Traversal from 0, < 9.0.107-0+deb11u2
HIGH7.5CVE-2025-48989Apache Tomcat Improper Resource Shutdown or Release vulnerability from 0, < 9.0.70-2
HIGH7.5CVE-2025-53506Apache Tomcat: DoS via excessive h2 streams at connection start from 0, < 9.0.107-0+deb11u1
HIGH7.5CVE-2025-52434Apache Tomcat: APR/Native Connector crash leading to DoS from 0, < 9.0.107-0+deb11u1
HIGH7.5CVE-2025-52520Apache Tomcat: DoS via integer overflow in multipart file upload from 0, < 9.0.107-0+deb11u1
HIGH7.5CVE-2025-48988Apache Tomcat: FileUpload large number of parts with headers DoS from 0, < 9.0.107-0+deb11u1
HIGH7.5CVE-2025-48976Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers from 0, < 9.0.107-0+deb11u1
HIGH7.5CVE-2025-49125Apache Tomcat: Security constraint bypass for pre/post-resources from 0, < 9.0.107-0+deb11u1
HIGH7.5CVE-2025-31650Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame from 0, < 9.0.107-0+deb11u1
from 0, < 9.0.107-0+deb11u1
from 0, < 9.0.107-0+deb11u1
from 0, < 9.0.43-2~deb11u10
HIGH7.5CVE-2023-46589Apache Tomcat: HTTP request smuggling via malformed trailer headers from 0, < 9.0.43-2~deb11u10
HIGH7.5CVE-2023-46589Apache Tomcat: HTTP request smuggling via malformed trailer headers from 0, < 9.0.43-2~deb11u10
HIGH7.5CVE-2023-46589Apache Tomcat: HTTP request smuggling via malformed trailer headers from 0, < 9.0.31-1~deb10u11
from 0, < 9.0.31-1~deb10u9
from 0, < 9.0.43-2~deb11u7
from 0, < 9.0.43-2~deb11u7
from 0, < 9.0.43-2~deb11u6
HIGH7.5CVE-2022-42252Apache Tomcat request smuggling via malformed content-length from 0, < 9.0.43-2~deb11u6
HIGH7.5CVE-2022-42252Apache Tomcat request smuggling via malformed content-length from 0, < 9.0.43-2~deb11u6
HIGH7.5CVE-2022-42252Apache Tomcat request smuggling via malformed content-length from 0, < 9.0.31-1~deb10u8
HIGH7.5CVE-2022-29885EncryptInterceptor does not provide complete protection on insecure networks from 0, < 9.0.43-2~deb11u4
from 0, < 9.0.31-1~deb10u2
from 0, < 9.0.36-1
HIGH7.5CVE-2020-17527Apache Tomcat: Request header mix-up between HTTP/2 streams from 0, < 9.0.40-1
from 0, < 9.0.37-1
HIGH7.5CVE-2020-13934Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat from 0, < 9.0.37-1
from 0, < 9.0.43-2~deb11u3
from 0, < 9.0.43-2~deb11u3
from 0, < 9.0.43-2~deb11u2
from 0, < 9.0.31-1~deb10u6
from 0, < 9.0.31-1~deb10u4
from 0, < 9.0.43-1
HIGH7.5CVE-2019-0199Apache Tomcat Denial of Service vulnerability from 0, < 9.0.16-1
from 0, < 9.0.31-1
from 0, < 9.0.22-1
from 0, < 9.0.31-1~deb10u1
HIGH7.3CVE-2026-42498Apache Tomcat - WebSocket authentication header exposure from 0, < 9.0.70-2
HIGH7.3CVE-2025-46701Apache Tomcat: Security constraint bypass for CGI scripts from 0, < 9.0.107-0+deb11u1
from 0, < 9.0.43-2~deb11u4
from 0, < 9.0.43-1
HIGH7.0CVE-2020-9484Potential remote code execution in Apache Tomcat from 0, < 9.0.35-1
from 0, < 9.0.31-1
MEDIUM6.5CVE-2026-34500Apache Tomcat: CLIENT_CERT authentication does not fail as expected from 0, < 9.0.70-2
MEDIUM6.5CVE-2025-55668Apache Tomcat: session fixation via rewrite valve from 0, < 9.0.70-2
from 0, < 9.0.31-1~deb10u5
from 0, < 9.0.43-2~deb11u1
MEDIUM6.3CVE-2024-23672Apache Tomcat: WebSocket DoS with incomplete closing handshake from 0, < 9.0.43-2~deb11u10
MEDIUM6.3CVE-2024-23672Apache Tomcat: WebSocket DoS with incomplete closing handshake from 0, < 9.0.31-1~deb10u12
MEDIUM6.1CVE-2026-25854Apache Tomcat has an Open Redirect vulnerability from 0, < 9.0.70-2
MEDIUM6.1CVE-2023-41080Apache Tomcat: Open redirect with FORM authentication from 0, < 9.0.43-2~deb11u7
from 0, < 9.0.65-1
from 0, < 9.0.16-4
from 0, < 9.0.40-1
MEDIUM5.3CVE-2026-32990Apache Tomcat has an Improper Input Validation vulnerability from 0, < 9.0.70-2
MEDIUM5.3CVE-2025-61795Apache Tomcat Vulnerable to Improper Resource Shutdown or Release from 0, < 9.0.107-0+deb11u2
MEDIUM5.3CVE-2024-54677Apache Tomcat Uncontrolled Resource Consumption vulnerability from 0, < 9.0.107-0+deb11u1
MEDIUM5.3CVE-2024-21733Apache Tomcat: Leaking of unrelated request bodies in default error page from 0, < 9.0.43-2~deb11u11
MEDIUM5.3CVE-2024-21733Apache Tomcat: Leaking of unrelated request bodies in default error page from 0, < 9.0.43-2~deb11u11
MEDIUM5.3CVE-2023-45648Apache Tomcat: Trailer header parsing too lenient from 0, < 9.0.43-2~deb11u7
MEDIUM5.3CVE-2023-42795Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests from 0, < 9.0.43-2~deb11u7
MEDIUM5.3CVE-2021-33037Incorrect Transfer-Encoding handling with HTTP/1.0 from 0, < 9.0.43-2~deb11u1
from 0, < 9.0.31-1
MEDIUM4.8CVE-2020-1935Potential HTTP request smuggling in Apache Tomcat from 0, < 9.0.31-1
MEDIUM4.3CVE-2023-28708Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations from 0, < 9.0.43-2~deb11u6
from 0, < 9.0.31-1~deb10u3
from 0, < 9.0.38-1
LOW3.7CVE-2026-43514Apache Tomcat - AJP secret compared in non-constant time from 0, < 9.0.70-2
LOW3.7CVE-2026-24733Apache Tomcat: Security constraint bypass with HTTP/0.9 from 0, < 9.0.70-2
from 0, < 9.0.43-2~deb11u4
from 0, < 9.0.31-1~deb10u7
from 0, < 9.0.43-2~deb11u4