Apache Software Foundation Apache Tomcat Vulnerabilities
CVE security advisories and vulnerability history for Apache Tomcat by Apache Software Foundation.
115
Total CVEs
Published
5
In CISA KEV
Exploited in the wild
16
Public exploits
PoC or exploit code
7.3
Avg CVSS
2017–2026
Last updated
Overview
Apache Software Foundation Apache Tomcat has 115 published CVE records since 2017, of which 5 are in CISA's Known Exploited Vulnerabilities catalog and 16 have a known public exploit. The average CVSS base score across scored CVEs is 7.3.
This page aggregates every publicly disclosed vulnerability (CVE) affecting Apache Software Foundation Apache Tomcat, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.
Severity and exploitation
How the CVSS severity of Apache Software Foundation Apache Tomcat's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.
Critical22
High57
Medium34
Low2
In CISA’s Known Exploited Vulnerabilities catalog
5
5 of Apache Software Foundation Apache Tomcat's CVEs are confirmed exploited in the wild.
Public exploits
16
16 of Apache Software Foundation Apache Tomcat's CVEs have a known public exploit available.
Affected versions and CVEs
Browse every Apache Software Foundation Apache Tomcat version named in a CVE, then pick one to see only the CVEs that affect it.
Common questions about Apache Software Foundation Apache Tomcat vulnerabilities.
How many CVEs does Apache Software Foundation Apache Tomcat have?
Apache Software Foundation Apache Tomcat has 115 published CVE records since 2017.
How many Apache Software Foundation Apache Tomcat CVEs are in CISA KEV?
Yes — 5 of Apache Software Foundation Apache Tomcat's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.
Are there public exploits for Apache Software Foundation Apache Tomcat vulnerabilities?
Yes — 16 of Apache Software Foundation Apache Tomcat's CVEs have a known public exploit.
Which versions of Apache Software Foundation Apache Tomcat are affected?
405 distinct Apache Software Foundation Apache Tomcat versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.
What are the most common weakness types in Apache Software Foundation Apache Tomcat CVEs?
Apache Software Foundation Apache Tomcat's CVEs most often map to these CWE weakness types: CWE-20 (Improper Input Validation), CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-444 (Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
How many critical Apache Software Foundation Apache Tomcat vulnerabilities are there?
Apache Software Foundation Apache Tomcat has 22 critical and 57 high-severity CVEs.
What is the average severity of Apache Software Foundation Apache Tomcat CVEs?
The average CVSS base score across Apache Software Foundation Apache Tomcat's scored CVEs is 7.3.