pkg:Maven/org.apache.tomcat:tomcat

All known vulnerabilities

• CRITICAL9.8CVE-2026-41293Apache Tomcat - HTTP/2 request headers not validated
  from 0, < 9.0.118
• CRITICAL9.8CVE-2026-43512Apache Tomcat - Digest authenticator will authenticate any unknown user
  from 0, < 9.0.118
• CRITICAL9.8Apache Tomcat affected by vulnerability in TLS and SSL protocol
  >= 7.0.0, < 7.0.10
• CRITICAL9.6Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
  >= 11.0.0-M1, < 11.0.11
• CRITICAL9.1Apache Tomcat - Security constraints not correctly applied
  from 0, < 9.0.118
• CRITICAL9.1Apache Tomcat: CLIENT_CERT authentication does not fail as expected
  >= 9.0.83, < 9.0.116
• CRITICAL9.1Apache Tomcat - Client certificate verification bypass
  >= 11.0.0-M1, < 11.0.15
• HIGH8.8Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by using a token
  from 0, < 7.0.68
• HIGH8.8Improper Access Control in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M2
• HIGH8.6Improper socket reuse in Apache Tomcat
  >= 8.5.0, < 8.5.75
• HIGH8.4Apache Tomcat installer for Windows has an untrusted search path vulnerability
  >= 11.0.0-M1, < 11.0.8
• HIGH8.1Improper Neutralization of Input During Web Page Generation in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M2
• HIGH7.8Incorrect Default Permissions in Apache Tomcat
  from 0, < 8.0.53
• HIGH7.5Apache Tomcat: LockOutRealm treats user names as case-sensitive
  from 0, < 9.0.118
• HIGH7.5Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
  from 0, < 9.0.118
• HIGH7.5Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
  >= 9.0.40, < 9.0.116
• HIGH7.5Apache Tomcat Missing Encryption of Sensitive Data vulnerability
  >= 11.0.20, < 11.0.21
• HIGH7.5Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File
  >= 9.0.13, < 9.0.117
• HIGH7.5Apache Tomcat: Configured cipher preference order not preserved
  >= 9.0.114, < 9.0.116
• HIGH7.5Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor
  >= 9.0.13, < 9.0.116
• HIGH7.5Apache Tomcat Vulnerable to Relative Path Traversal
  >= 11.0.0-M1, < 11.0.11
• HIGH7.5Apache Tomcat does not enforce the maxHttpHeaderSize limit
  >= 6.0.0, < 6.0.32
• HIGH7.5Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M12
• HIGH7.5Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M19
• HIGH7.5Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request
  >= 8.5.7, < 8.5.10
• HIGH7.5Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M22
• HIGH7.5Improper Handling of Exceptional Conditions in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M21
• HIGH7.5Improper Resource Shutdown or Release in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M19
• HIGH7.5Apache Tomcat vulnerable to SecurityManager bypass
  >= 9.0.0.M1, < 9.0.0.M10
• HIGH7.5Incorrect Authorization in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M10
• HIGH7.5Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption
  >= 10.1.0-M1, < 10.1.0-M15
• HIGH7.5Uncontrolled Resource Consumption in Apache Tomcat
  >= 10.0.0-M1, < 10.0.0-M5
• HIGH7.5Infinite Loop in Apache Tomcat
  >= 10.0.0-M1, < 10.0.0-M7
• HIGH7.5Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat
  >= 10.0.0-M1, < 10.0.0-M6
• HIGH7.5Missing Release of Resource after Effective Lifetime in Apache Tomcat
  >= 10.1.0-M1, < 10.1.0-M6
• HIGH7.5Infinite loop in Tomcat due to parsing error
  >= 10.0.0, < 10.0.4
• HIGH7.5Improper Handling of Exceptional Conditions in Apache Tomcat
  >= 10.0.3, < 10.0.5
• HIGH7.3Apache Tomcat - WebSocket authentication header exposure
  from 0, < 9.0.118
• HIGH7.0Race condition in Apache Tomcat
  >= 10.0.0, < 10.0.16
• MEDIUM6.5Authentication Bypass by Alternate Name in Apache Tomcat
  >= 10.0.0-M1, < 10.0.5
• MEDIUM6.3Improper Verification of Source of a Communication Channel in Apache Tomcat
  >= 7.0.0, < 7.0.68
• MEDIUM6.1Apache Tomcat has an Open Redirect vulnerability
  >= 8.5.30, < 9.0.116
• MEDIUM6.1Apache Tomcat Open Redirect vulnerability
  >= 11.0.0-M1, < 11.0.0-M11
• MEDIUM6.1Cross-site Scripting in Apache Tomcat
  >= 10.1.0-M1, < 10.1.0-M17
• MEDIUM5.9Observable Discrepancy in Apache Tomcat
  >= 9.0.0M1, < 9.0.0.M10
• MEDIUM5.3Apache Tomcat has an Improper Input Validation vulnerability
  >= 9.0.113, < 9.0.116
• MEDIUM5.3Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
  >= 11.0.0-M1, < 11.0.12
• MEDIUM5.3Apache Tomcat Uncontrolled Resource Consumption vulnerability
  >= 11.0.0-M1, < 11.0.2
• MEDIUM5.3Apache Tomcat Improper Input Validation vulnerability
  >= 11.0.0-M1, < 11.0.0-M12
• MEDIUM5.3Apache Tomcat Incomplete Cleanup vulnerability
  >= 9.0.0-M1, < 9.0.81
• MEDIUM5.3Directory Traversal in Apache Tomcat
  >= 4.1.0, < 4.1.40
• MEDIUM5.3Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M2
• MEDIUM5.3Inconsistent documentation in Apache Tomcat
  >= 9.0.0.M22, < 9.0.2
• MEDIUM5.3System Property Disclosure in Apache Tomcat
  >= 6.0.0, < 6.0.47
• MEDIUM5.3HTTP Request Smuggling in Apache Tomcat
  >= 10.0.0-M1, < 10.0.7
• MEDIUM4.8Potential HTTP request smuggling in Apache Tomcat
  >= 7.0.98, < 7.0.100
• MEDIUM4.8Potential HTTP request smuggling in Apache Tomcat
  from 0, < 7.0.100
• MEDIUM4.3Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M2
• MEDIUM4.3Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat
  >= 8.0.0-RC1, < 8.0.27
• MEDIUM4.3Insufficient Verification of Data Authenticity in Apache Tomcat
  >= 9.0.0.M1, < 9.0.0.M22
• MEDIUM4.2Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
  >= 4.1.0, <= 4.1.39
• LOW3.7Apache Tomcat - AJP secret compared in non-constant time
  from 0, < 9.0.118
• LOW3.7Apache Tomcat - Security constraint bypass with HTTP/0.9
  >= 11.0.0-M1, < 11.0.15
• LOW3.7Apache Tomcat Race Condition vulnerability
  >= 8.5.0, < 8.5.78
• —Apache Tomcat Exposes IP Addresses and HTTP Headers of Requests
  >= 6.0.30, < 6.0.35
• —Deserialization of Untrusted Data in Apache Tomcat
  from 0, < 7.0.39
• —Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
  >= 7.0.0, < 7.0.40
• —Apache Tomcat Allows Replacing of XML Parser
  >= 7.0.0, < 7.0.17
• —Apache Tomcat does not follow ServletSecurity annotations
  >= 7.0, < 7.0.11
• —Improper Authentication in Apache Tomcat
  >= 5.5.0, < 5.5.36
• —Apache Tomcat HTTP BIO Connector Error Discloses Information From Different Requests to Remote Users
  >= 7.0.0, < 7.0.12
• —Authentication Bypass in Apache Tomcat
  >= 6.0.0, < 6.0.36
• —Cross-Site Request Forgery in Apache Tomcat
  >= 6.0.0, < 6.0.36
• —Improper Access Control in Apache Tomcat
  >= 5.5.0, < 5.5.36
• —Improper Input Validation in Apache Tomcat
  >= 5.5.0, < 5.5.35
• —Apache Tomcat allows remote attackers to bypass intended access restrictions
  >= 7.0.0, < 7.0.10
• —Access controll bypass in Apache Tomcat
  >= 7.0.11, < 7.0.12
• —Access restriction bypass in Apache Tomcat
  >= 7.0.12, < 7.0.14
• —Improper Neutralization of Input During Web Page Generation in Apache Tomcat
  >= 7.0.0, < 7.0.5
• —Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header
  >= 6.0.0, < 6.0.35
• —Apache Tomcat affected by infinite loop in Double.parseDouble method in Java Runtime Environment
  >= 7.0.0, < 7.0.7
• —Use of Hard-coded Cryptographic Key in Apache Tomcat
  >= 5.5.0, < 5.5.34
• —Improper Authentication in Apache Tomcat
  >= 5.5.0, < 5.5.34
• —Improper Input Validation in Apache Tomcat
  from 0, < 5.5.34
• —Insertion of Sensitive Information into Log File in Apache Tomcat
  >= 5.5.0, < 5.5.34
• —Apache Tomcat does not properly handle an invalid Transfer-Encoding header
  >= 7.0.0, < 7.0.2
• —Improper Authentication in Apache Tomcat
  >= 5.5.0, < 5.5.34
• —Apache Tomcat Allows Remote Attackers to Spoof AJP Requests
  >= 7.0.0, < 7.0.21
• —Authentication Bypass in Apache Tomcat
  >= 5.5.0, < 5.5.34
• —Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat
  >= 7.0.0, < 7.0.4
• —Apache Tomcat is vulnerable to HTTP request-smuggling
  from 0, < 6.0.39
• —Apache Tomcat Vulnerable to Denial of Service (DoS) via Improper Handling of chunk extensions
  >= 6.0.0, < 6.0.37
• —Improper Input Validation in Apache Tomcat
  >= 6.0.33, < 6.0.38
• —Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
  from 0, < 6.0.39
• —Apache Tomcat Denial of Service vulnerability
  from 0, < 6.0.39
• —Improper Authentication in Apache Tomcat
  >= 6.0.21, < 6.0.37
• —Integer Overflow or Wraparound in Apache Tomcat
  from 0, < 6.0.40
• —Improper Input Validation in Apache Tomcat
  >= 6.0.0, < 6.0.42
• —Uncontrolled Resource Consumption in Apache Tomcat
  >= 6.0.0, < 6.0.44
• —Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat
  from 0, < 6.0.40
• —Missing XML Validation in Apache Tomcat
  from 0, < 6.0.40
• —Improper Input Validation in Apache Tomcat
  from 0, < 6.0.40
• —Improper Access Control in Apache Tomcat
  >= 6.0.0, < 6.0.44
• —Apache Tomcat Unrestricted file upload vulnerability
  >= 7.0, < 7.0.40
• —Denial of Service in Apache Tomcat
  >= 5.5.0, < 5.5.35
• —Improper Neutralization of Input During Web Page Generation in Apache Tomcat
  >= 5.5.0, < 5.5.32
• —Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
  >= 5.5.0, < 5.5.30
• —Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Tomcat
  >= 5.5.0, < 5.5.29
• —Improper Authentication in Apache Tomcat
  >= 5.5.0, < 5.5.29
• —Apache Tomcat Directory Traversal vulnerability
  >= 5.5.0, < 5.5.29
• —Cross-site scripting in Apache Tomcat
  >= 4.1.0, <= 4.1.39
• —Exposure of Sensitive Information in Apache Tomcat
  >= 4.1.0, < 4.1.40
• —Apache Tomcat Denial of Service via Malformed Request Headers
  >= 4.1.0, <= 4.1.39
• —Apache Tomcat information disclosure vulnerability
  >= 4.1.32, < 4.1.35
• —Apache Tomcat Directory Traversal vulnerability
  >= 4.1.0, < 4.1.39
• —Apache Tomcat Path Traversal Vulnerability
  >= 4.1.0, < 4.1.38
• —Apache Tomcat Cross-site scripting (XSS) vulnerability
  >= 5.5.9, < 5.5.27
• —Apache Tomcat Cross-site scripting (XSS) vulnerability
  >= 4.1.0, < 4.1.38
• —Apache Tomcat Sensitive Information Disclosure
  >= 6.0.0, < 6.0.16
• —Apache Tomcat Does Not Properly Handle Empty Requests
  >= 5.5.11, <= 5.5.25
• —Apache Tomcat Path Traversal Vulnerability
  >= 4.0.0, <= 4.0.6
• —Exposure of Sensitive Information in Apache Tomcat
  >= 6.0.0, < 6.0.15
• —Apache Tomcat Example Application CSRF and XSS Vulnerabilities
  from 0, <= 4.1.31
• —Apache Tomcat's CookieExample Vulnerable to XSS
  >= 3.3.0, <= 3.3.2
• —Apache Tomcat SendMailServlet XSS
  >= 4.0.0, <= 4.0.6
• —Apache Tomcat treats single quotes as delimiters in cookies
  >= 6.0.0, <= 6.0.13
• —Apache Tomcat Mishandles Character Sequence in Cookies
  >= 6.0.0, <= 6.0.13
• —Apache Tomcat vulnerable to Cross-site Scripting
  >= 4.0.0, <= 4.0.6
• —Apache Tomcat XSS Vulnerabilities in Examples Web Application
  >= 4.0.0, <= 4.0.6
• —Apache Tomcat XSS In Accept-Language Headers
  >= 4.0.0, <= 4.0.6
• —Apache Tomcat Directory Traversal
  >= 5.0, < 5.5.22
• —Cross-site scripting in Apache Tomcat
  >= 4.0.0, < 4.0.7
• —Apache Tomcat Buffer Over-Read
  from 0, <= 5.5.15
• —Apache Tomcat XSS Vulnerability
  >= 5.0.0, <= 5.0.30
• —Apache Tomcat Reveals Directories
  >= 5.0.0, < 5.5.17
• —Apache Tomcat allows remote attackers to read JSP source files
  >= 4.1.15, <= 4.1.40
• —Apache Tomcat Discloses MS-DOS Pathname
  from 0, <= 4.0.3
• —Apache Tomcat Vulnerable to Denial of Service (DoS) via Simultaneous Requests
  >= 5.5.0, < 5.5.12
• —Apache Tomcat AJP Connector Information Leak
  >= 4.0.1, <= 4.0.6
• —Tomcat Vulnerable to Web Cache Poisoning
  >= 5.0.0, <= 5.0.19
• —Apache Tomcat DoS via Malicious Get Request
  >= 4.0.0, <= 4.1.12
• —Apache Tomcat Leaks Information via Error Message
  from 0, < 4.1.3
• —Apache Tomcat Leaks Pathname Information via Error Message
  >= 4.0.0, <= 4.0.1
• —Apache Tomcat Default Installation Reveals Sensitive Information
  >= 4.0.0, < 4.1.0
• —Apache Tomcat XSS Vulnerability
  >= 4.1.0, < 4.1.29
• —Apache Tomcat Source Code Disclosure
  from 0, < 4.0.6
• —Apache Tomcat Source Code Disclosure
  >= 4.0.0, < 4.0.5
• —Apache Tomcat DoS Via Requests Including Null Characters
  from 0, < 4.1.3-beta
• —Apache Tomcat may be started without proper security settings
  from 0, < 4.0b7
• —Apache Tomcat Reveals Path through Long URL
  from 0, < 4.0.2
• —Apache Tomcat allows webmasters to insert xss into error messages
  from 0, <= 3.2.1
• —Apache Tomcat Directory Traversal
  from 0, <= 3.1
• —Jakarta Apache Tomcat Reveals Physical Paths
  from 0, <= 3.1
• —Apache Tomcat Denial of Service vulnerability in the Catalina package
  >= 4.0, < 4.1.0
• —Jakarta Tomcat cross-site scripting (XSS) vulnerability
  >= 3.0, < 3.3.2
• —Tomcat uses trusted privileges when processing web.xml file
  from 0, < 3.3.1a
• —Jakarta Tomcat Directory Listing vulnerability
  from 0, < 3.3.1a
• —Jakarta Tomcat Denial of Service vulnerability
  from 0, < 3.3.1a
• —Commons FileUpload Denial of service vulnerability
  >= 8.0.0-RC1, < 8.0.3