Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Apache
Tomcat

apache tomcat Vulnerabilities: CVEs, CISA KEV & Security Advisories

256 CVEs

6 in CISA KEV

apache tomcat Vulnerabilities

CVE security advisories and vulnerability history for tomcat by apache.

256

Total CVEs

Published

6

In CISA KEV

Exploited in the wild

54

Public exploits

With known exploit

7.5

Avg CVSS

2000–2026

Last updated May 12, 2026

Overview

apache tomcat has 256 published CVE records since 2000, of which 6 are in CISA's Known Exploited Vulnerabilities catalog and 54 have a known public exploit. The average CVSS base score across scored CVEs is 7.5.

This page aggregates every publicly disclosed vulnerability (CVE) affecting apache tomcat, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Severity and exploitation

How the CVSS severity of apache tomcat's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical12

High34

Medium14

Low2

194 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

6

6 of apache tomcat's CVEs are confirmed exploited in the wild.

Public exploits

54

54 of apache tomcat's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every apache tomcat version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

Fixed in

10.1.557 CVEs
11.0.227 CVEs
9.0.1187 CVEs
10.1.536 CVEs
11.0.206 CVEs
9.0.1166 CVEs
0289da4f342744334e0fc5a53ee958e68024fead4 CVEs
05ccf0c3e22d388f0cf853e32485d8249d051f2f4 CVEs
10.0.274 CVEs
10.1.424 CVEs
11.0.84 CVEs
8a48dcb90f13f1670632e763e945f4cc9ef869e64 CVEs
9.0.1064 CVEs

Find a version

256 CVEs

Sort

Apache Tomcat: Security constraints not correctly applied
CVE-2026-43515
Patch
CWE-285
Critical · CVSS 9.1
EPSS 0.1% (26th pct)2026-05-12
Apache Tomcat: AJP secret compared in non-constant time
CVE-2026-43514
Patch
CWE-208
Low · CVSS 3.7
EPSS 0.1% (27th pct)2026-05-12
Apache Tomcat: LockOutRealm treats user names as case-sensitive
CVE-2026-43513
Patch
CWE-178
High · CVSS 7.5
EPSS 0.1% (24th pct)2026-05-12
Apache Tomcat: Digest authenticator will authenticate any unknown user
CVE-2026-43512
Patch
CWE-592
Critical · CVSS 9.8
EPSS 0.1% (34th pct)2026-05-12
Apache Tomcat: HTTP/2 request headers not validated
CVE-2026-41293
Patch
CWE-20
Critical · CVSS 9.8
EPSS 0.3% (49th pct)2026-05-12
Apache Tomcat: WebSocket authentication header exposure
CVE-2026-42498
Patch
CWE-200
High · CVSS 7.3
EPSS 0.1% (16th pct)2026-05-12
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
CVE-2026-41284
Patch
CWE-770
High · CVSS 7.5
EPSS 0.1% (21th pct)2026-05-12
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
CVE-2026-34500
Patch
CWE-287
Medium · CVSS 6.5
EPSS 0.1% (35th pct)2026-04-09
Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
CVE-2026-34487
Patch
CWE-532
High · CVSS 7.5
EPSS 0.1% (22th pct)2026-04-09
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
CVE-2026-34486
Patch
CWE-311
High · CVSS 7.5
EPSS 1.9% (84th pct)2026-04-09
Apache Tomcat: Incomplete escaping of JSON access logs
CVE-2026-34483
Patch
CWE-116
High · CVSS 7.5
EPSS 0.1% (21th pct)2026-04-09
Apache Tomcat: Fix for CVE-2025-66614 is incomplete
CVE-2026-32990
Patch
CWE-20
Medium · CVSS 5.3
EPSS 0.2% (43th pct)2026-04-09
Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
CVE-2026-29146
Patch
CWE-209
High · CVSS 7.5
EPSS 12.9% (94th pct)2026-04-09
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
CVE-2026-29145
Patch
CWE-287
Critical · CVSS 9.1
EPSS 0.0% (9th pct)2026-04-09
Apache Tomcat: TLS cipher order is not preserved
CVE-2026-29129
Patch
CWE-327
High · CVSS 7.5
EPSS 0.0% (10th pct)2026-04-09
Apache Tomcat: Occasionally open redirect
CVE-2026-25854
Patch
CWE-601
Medium · CVSS 6.1
EPSS 0.0% (10th pct)2026-04-09
Apache Tomcat: Request smuggling via invalid chunk extension
CVE-2026-24880
Patch
CWE-444
High · CVSS 7.5
EPSS 0.2% (39th pct)2026-04-09
Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass
CVE-2026-24734
Patch
CWE-20
High · CVSS 7.4
EPSS 0.1% (26th pct)2026-02-17
Apache Tomcat: Security constraint bypass with HTTP/0.9
CVE-2026-24733
Patch
CWE-20
Medium · CVSS 6.5
EPSS 0.2% (37th pct)2026-02-17
Apache Tomcat: Client certificate verification bypass due to virtual host mapping
CVE-2025-66614
Patch
CWE-20
High · CVSS 7.6
EPSS 0.1% (16th pct)2026-02-17
Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS
CVE-2025-61795
Patch
CWE-404
Medium · CVSS 5.3
EPSS 0.1% (32th pct)2025-10-27
Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled
CVE-2025-55752
Patch
CWE-23
High · CVSS 7.5
EPSS 0.3% (51th pct)2025-10-27
Apache Tomcat: console manipulation via escape sequences in log messages
CVE-2025-55754
Patch
CWE-150
Critical · CVSS 9.6
EPSS 0.1% (33th pct)2025-10-27
Apache Tomcat: session fixation via rewrite valve
CVE-2025-55668
Patch
CWE-384
Medium · CVSS 6.5
EPSS 0.0% (5th pct)2025-08-13
Apache Tomcat: h2 DoS - Made You Reset
CVE-2025-48989
Patch
CWE-404
High · CVSS 7.5
EPSS 1.0% (78th pct)2025-08-13
Apache Tomcat: DoS via excessive h2 streams at connection start
CVE-2025-53506
Patch
CWE-400
High · CVSS 7.5
EPSS 1.2% (80th pct)2025-07-10
Apache Tomcat: DoS via integer overflow in multipart file upload
CVE-2025-52520
Patch
CWE-190
High · CVSS 7.5
EPSS 0.7% (72th pct)2025-07-10
Apache Tomcat: APR/Native Connector crash leading to DoS
CVE-2025-52434
Patch
CWE-362
High · CVSS 7.5
EPSS 1.2% (79th pct)2025-07-10
Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows
CVE-2025-49124
Patch
CWE-426
High · CVSS 8.4
EPSS 0.2% (39th pct)2025-06-16
Apache Tomcat: Security constraint bypass for pre/post-resources
CVE-2025-49125
Patch
CWE-288
High · CVSS 7.5
EPSS 0.2% (41th pct)2025-06-16

Showing 30 of 256

Common weakness types

The CWE weakness categories most often found in apache tomcat CVEs. Follow any weakness for its full explanation.

CWE-20Improper Input Validation8 CVEs
CWE-400Uncontrolled Resource Consumption5 CVEs
CWE-444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')4 CVEs
CWE-459Incomplete Cleanup4 CVEs
CWE-200Exposure of Sensitive Information to an Unauthorized Actor4 CVEs
CWE-116Improper Encoding or Escaping of Output3 CVEs
CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition3 CVEs
CWE-404Improper Resource Shutdown or Release3 CVEs

Disclosure activity by year

How many apache tomcat CVEs were published each year.

2015

3

2016

12

2017

24

2018

8

2019

7

2020

10

2021

8

2022

6

2023

10

2024

11

2025

15

2026

20

Other apache products

Browse vulnerabilities for other products by apache.

http server338 CVEs airflow163 CVEs httpd113 CVEs struts91 CVEs traffic server82 CVEs ofbiz74 CVEs trafficserver70 CVEs superset68 CVEs

All apache vulnerabilities

Frequently asked questions

Common questions about apache tomcat vulnerabilities.

How many CVEs does apache tomcat have?

apache tomcat has 256 published CVE records since 2000.

How many apache tomcat CVEs are in CISA KEV?

Yes — 6 of apache tomcat's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Are there public exploits for apache tomcat vulnerabilities?

Yes — 54 of apache tomcat's CVEs have a known public exploit.

Which versions of apache tomcat are affected?

296 distinct apache tomcat versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in apache tomcat CVEs?

apache tomcat's CVEs most often map to these CWE weakness types: CWE-20 (Improper Input Validation), CWE-400 (Uncontrolled Resource Consumption), CWE-444 (Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')), CWE-459 (Incomplete Cleanup).

How many critical apache tomcat vulnerabilities are there?

apache tomcat has 12 critical and 34 high-severity CVEs.

What is the average severity of apache tomcat CVEs?

The average CVSS base score across apache tomcat's scored CVEs is 7.5.

References

All apache vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track apache tomcat vulnerabilities

Monitor new apache tomcat vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References

ca8720d41f3be917dc3fcdd03fcca8d3152a13fb

4 CVEs

10.1.343 CVEs

10.1.543 CVEs

11.0.23 CVEs

11.0.213 CVEs

36d4f7d698f71cd322204a3b242a97c54860fb8c3 CVEs

727a8467a37e17fef91e12a65db4d56862d361713 CVEs

8.5.943 CVEs

9.0.1173 CVEs

9.0.813 CVEs

9.0.983 CVEs

90a0120a60faf9a3a657b113a7e2cdda2112be913 CVEs

acf7da1801a4751b282a70ced24b73c1046db8313 CVEs

d428a82c122c86e64aa4ffc4a515aee31ba7a51e3 CVEs

> 10.1.242 CVEs

> 10.1.302 CVEs

> 11.0.0-m202 CVEs

> 11.0.0-M262 CVEs

> 9.0.892 CVEs

> 9.0.952 CVEs

10.1.142 CVEs

10.1.192 CVEs

10.1.252 CVEs

10.1.312 CVEs

10.1.402 CVEs

10.1.452 CVEs

10.1.502 CVEs

11.0.112 CVEs

11.0.152 CVEs

11.0.62 CVEs

1da89d3d01aece456d622548d92055a60ff19c372 CVEs

1ee4bc9109d48cd062d1bc1a4c002358e03455e92 CVEs

312541e51725cdfe98d8cc6414b31d36d913fdd12 CVEs

43d5ad023d2eee2ca162eded597a23afa0b922962 CVEs

542c35ae834fb29616b184a0e4276a5b7f8542de2 CVEs

5feba31fa86b38bd645bf9cc1ddee883ad7bc6a42 CVEs

65977c7d1da9b6016e2b19de06c3be7373f408592 CVEs

692d6ffc5aa75d6804749ffcc14353c6b046fd922 CVEs

7b4007a6a77300056f4681b064d7332c2284cbdd2 CVEs

7ecea31658766b7d0ce7fee5a34564b67c68e7892 CVEs

8.5.642 CVEs

8.5.992 CVEs

872451298e20bb77ea95c499e6866b1e32b337e02 CVEs

9.0.1042 CVEs

9.0.1072 CVEs

9.0.1092 CVEs

9.0.1132 CVEs

9.0.442 CVEs

9.0.862 CVEs

9.0.902 CVEs

9.0.962 CVEs

9287d3342f12d20cbdb66c11228b0f80a40a43a02 CVEs

9b0f308fdc46fe76b988266baf2c269d63a3a8982 CVEs

a0038178b617423537dc66b2f516c53da70934212 CVEs

b07cda9f3cc385f6f2d6c0701a050317979745dc2 CVEs

c47f86adea090175669df8b2ca04c93050bcaf8c2 CVEs

c5f2266f27baa5148df29cd3c4139d2450e1019c2 CVEs

cd6d685800b0e46797325866dee2c9a78fc8e69c2 CVEs

f8cfae0a0d1c8dc592099a1430cd08e3524308232 CVEs

fe841cca81f15355ed4096c5c155f0ceb49a05da2 CVEs

> 10.1.131 CVE

> 10.1.151 CVE

> 11.0.0-m101 CVE

> 11.0.0-m111 CVE

> 8.5.931 CVE

> 8.5.951 CVE

> 9.0.811 CVE

> 9.0.821 CVE

027da9e603ac246bb8b74b2145278e9b28cea7f81 CVE

065dc9ace0bc17cd4996a19a6d24703cd43d280c1 CVE

0bf2722f4652674e321a0e22e72dca75d2ea82751 CVE

0cbd87a47606a7669c784d28b5133358a4dcff411 CVE

10.0.121 CVE

10.0.61 CVE

10.1.11 CVE

10.1.161 CVE

10.1.351 CVE

10.1.411 CVE

10.1.431 CVE

10.1.441 CVE

10.1.471 CVE

10.1.521 CVE

10.1.61 CVE

11.0.101 CVE

11.0.121 CVE

11.0.181 CVE

11.0.31 CVE

11.0.71 CVE

11.0.91 CVE

12afa2cd11ffa9522cd98acc228ecb1bad6b80061 CVE

15c524d11651708bc046929139e6b633f2a50fb51 CVE

17550edb0646a42c0c52e9272c3717a0f7888a681 CVE

2640cdf945fd8b715cec93e6c7840970a13634a01 CVE

27c50670878728255730533129c4a533441916051 CVE

2cdef2c0241cdf70b5edd88d3733a52e6b6750471 CVE

37ae42a2996911b9ba6b88e7b0828f855b9d38f61 CVE

3c78e95e36268dfb76db1570f0cf49104fa6eabc1 CVE

454f804f3336ec980e84eb84bb6a051e349c6d3a1 CVE

45d567367df1dce8417fa1408b3ee3e290b480301 CVE

5.5.221 CVE

5.5.361 CVE

53c394049af76032bc7acab9de023013ad4fdc431 CVE

5dd82367de857318b8a384c07c4414e5d55cc9751 CVE

6.0.101 CVE

6.0.361 CVE

6.0.481 CVE

66ebf0df1f2f072d1ecdf63f391026fb1b49bae21 CVE

67928399251771271d95a1805001ba00e650adce1 CVE

6e6ddf18b5dd4baadd4470f2f48a71b9c41851221 CVE

7.0.1001 CVE

7.0.1081 CVE

7.0.1091 CVE

7.0.301 CVE

7.0.731 CVE

7.0.821 CVE

702df4f4db92b59e01d5d8824190ce2652d74a761 CVE

7145107845fe82dafee783bb0bfd6bea028e173b1 CVE

7754d319b2a8866b5bcdf1ea0f35e684703202951 CVE

7be88ea333d4b1f0ff75b8f4bc743f7f252628861 CVE

8.0.391 CVE

8.0.471 CVE

8.0.53-29.32.11 CVE

8.5.101 CVE

8.5.231 CVE

8.5.511 CVE

8.5.631 CVE

8.5.661 CVE

8.5.71 CVE

8.5.721 CVE

8.5.761 CVE

8.5.831 CVE

8.5.861 CVE

8.5.961 CVE

84e18583f461778707f7fd2e25b1f0677e44e8991 CVE

9.0.11 CVE

9.0.1051 CVE

9.0.1081 CVE

9.0.1101 CVE

9.0.1151 CVE

9.0.211 CVE

9.0.311 CVE

9.0.35-3.39.11 CVE

9.0.35-3.57.31 CVE

9.0.431 CVE

9.0.461 CVE

9.0.541 CVE

9.0.681 CVE

9.0.691 CVE

9.0.721 CVE

9.0.831 CVE

9.0.991 CVE

934df02dc68e72b95a38f372017f1b89b0d13a761 CVE

9636e5188311f30c1e46c94191d2145998778bf41 CVE

975b37687cf3985b006ed92aeaca69ae795951471 CVE

9829c929059f96605a3fb870700b5887970d72031 CVE

b5205c92f41dfd9a67f78bc783db7b022e38226c1 CVE

b57a2ea4466a2d4ea03a0f90e3f0d6c485b3cfea1 CVE

be97b0e06e77226aea5eb2a7b448f1d53bda2aa11 CVE

c63765c906c86af8afa43281f591d11ac5c9e5c11 CVE

cbf143d52b79395ce8a7e749b7ccdcd9361751f91 CVE

cd5fd93c5df3699868ec39731f5a3474501122991 CVE

db45aa20e1686827aa49a9062c775d266ef061d71 CVE

dbccb8cba2bf667a0e1b5da02187bda3e1a741201 CVE

dc8bcd9c0704235319d322ca3d4c32263a0547661 CVE

e6c2a4b773a2bf03f94a31ed8fc30df1a735217e1 CVE

e9630c1fad9a72e7394872a2aeeb73627f821b6c1 CVE

ea5f6b9485a94ca2fa86415b834a1a6c49a01f601 CVE

eb8d36c30857866536e8c931731c9f86980b00a61 CVE

f725f57f195de035a5cbc6602a1f7a3ad43ee5b51 CVE

fd3e7b16a7ead52f696b827178333f9a00696d251 CVE

fe0424f91a9f0af2f6422fe83bfaa769d92aa1311 CVE