210 CVEs

4 in CISA KEV

org.apache.tomcat Vulnerabilities

CVE security advisories and vulnerability history for org.apache.tomcat.

210

Total CVEs

Published

4

In CISA KEV

Exploited in the wild

41

Public exploits

With known exploit

7.5

Avg CVSS

2000–2026

Overview

org.apache.tomcat has 210 published CVE records since 2000, of which 4 are in CISA's Known Exploited Vulnerabilities catalog and 41 have a known public exploit. The average CVSS base score across scored CVEs is 7.5.

This page aggregates every publicly disclosed vulnerability (CVE) affecting org.apache.tomcat products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of org.apache.tomcat's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical12

High32

Medium14

Low2

150 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

4

4 of org.apache.tomcat's CVEs are confirmed exploited in the wild.

Public exploits

41

41 of org.apache.tomcat's CVEs have a known public exploit available.

Most affected products

The org.apache.tomcat products with the most published CVEs.

tomcat207 CVEs
org.apache.tomcat:tomcat159 CVEs
Apache Tomcat96 CVEs
org.apache.tomcat.embed:tomcat-embed-core54 CVEs
debian linux42 CVEs
org.apache.tomcat:tomcat-catalina39 CVEs
org.apache.tomcat:tomcat-coyote26 CVEs
ubuntu linux20 CVEs

Common weakness types

The CWE weakness categories most often found in org.apache.tomcat CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish org.apache.tomcat CVE records.

Disclosure activity by year

How many org.apache.tomcat CVEs were published each year.

2019

1

2020

9

2021

5

2022

6

2023

11

2024

11

2025

15

2026

20

Latest org.apache.tomcat CVEs

The most recently disclosed vulnerabilities affecting org.apache.tomcat.

Apache Tomcat: Security constraints not correctly applied
CWE-285
Critical · CVSS 9.1
EPSS 0.1%2026-05-12
Apache Tomcat: AJP secret compared in non-constant time
CWE-208
Low · CVSS 3.7
EPSS 0.1%2026-05-12
Apache Tomcat: LockOutRealm treats user names as case-sensitive
CWE-178
High · CVSS 7.5
EPSS 0.1%2026-05-12
Apache Tomcat: Digest authenticator will authenticate any unknown user
CWE-592
Critical · CVSS 9.8
EPSS 0.1%2026-05-12
Apache Tomcat: HTTP/2 request headers not validated
CWE-20
Critical · CVSS 9.8
EPSS 0.3%2026-05-12
Apache Tomcat: WebSocket authentication header exposure
CWE-200
High · CVSS 7.3
EPSS 0.1%2026-05-12
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
CWE-770
High · CVSS 7.5
EPSS 0.1%2026-05-12
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
CWE-287
Medium · CVSS 6.5
EPSS 0.2%2026-04-09
Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
CWE-532
High · CVSS 7.5
EPSS 0.1%2026-04-09
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
CWE-311
High · CVSS 7.5
EPSS 1.7%2026-04-09
Apache Tomcat: Incomplete escaping of JSON access logs
CWE-116
High · CVSS 7.5
EPSS 0.1%2026-04-09
Apache Tomcat: Fix for CVE-2025-66614 is incomplete
CWE-20
Medium · CVSS 5.3
EPSS 0.2%2026-04-09

Track new org.apache.tomcat CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor org.apache.tomcat CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

glpi-project217 CVEs Acronis214 CVEs trendnet214 CVEs kde214 CVEs Wavlink211 CVEs openemr210 CVEs wwbn209 CVEs angeljudesuarez206 CVEs

Browse all vendors

Frequently asked questions

Common questions about org.apache.tomcat vulnerabilities.

How many CVEs does org.apache.tomcat have?

org.apache.tomcat has 210 published CVE records since 2000, including 35 in the last two years.

How many org.apache.tomcat CVEs are in CISA KEV?

Yes — 4 of org.apache.tomcat's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which org.apache.tomcat products have the most CVEs?

The org.apache.tomcat products with the most published CVEs are tomcat, org.apache.tomcat:tomcat, Apache Tomcat, org.apache.tomcat.embed:tomcat-embed-core, debian linux.

What are the most common weakness types in org.apache.tomcat CVEs?

org.apache.tomcat's CVEs most often map to these CWE weakness types: CWE-20 (Improper Input Validation), CWE-400 (Uncontrolled Resource Consumption), CWE-459 (Incomplete Cleanup), CWE-770 (Allocation of Resources Without Limits or Throttling).

Are there public exploits for org.apache.tomcat vulnerabilities?

Yes — 41 of org.apache.tomcat's CVEs have a known public exploit.

How many critical org.apache.tomcat vulnerabilities are there?

org.apache.tomcat has 12 critical and 32 high-severity CVEs.

What is the average severity of org.apache.tomcat CVEs?

The average CVSS base score across org.apache.tomcat's scored CVEs is 7.5.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track org.apache.tomcat vulnerabilities

Monitor new org.apache.tomcat vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing