Photon OS 5.0: Httpd PHSA-2026-5.0-0848

An update of the httpd package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-5.0-0848. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

Linux Distros Unpatched Vulnerability : CVE-2026-41293

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from...

splunk-web-attack-detection

🔍 Web Application Attack Detection & Threat Hunting Using Splu...

Apache Tomcat - AJP secret compared in non-constant time

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: The AJP secret was compared in non-constant time allowing an attacker on the local network to mount a timing...

GHSA-5M62-PW8W-7W9F Apache Tomcat - Security constraints not correctly applied

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the...

GHSA-GX5V-XP9W-J4CG Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: No limit was enforced on the request body for WebDAV LOCK or PROPFIND requests which were available to...

GHSA-H6FC-48RJ-7QQH Apache Tomcat - Digest authenticator will authenticate any unknown user

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: When DIGEST authentication was configured, any user not known to the configured Realm would be authenticated if...

EUVD-2026-29513

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade ...

GHSA-5MP6-JRQ3-R938 Apache Tomcat: LockOutRealm treats user names as case-sensitive

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions...

Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: No limit was enforced on the request body for WebDAV LOCK or PROPFIND requests which were available to...

Apache Tomcat: LockOutRealm treats user names as case-sensitive

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions...

EUVD-2026-29518

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versio...

GHSA-R29C-68GH-XP6X Apache Tomcat - HTTP/2 request headers not validated

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: HTTP/2 request headers were not validated which may have triggered unexpected application behaviour if the...

EUVD-2026-29517

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions...

Improper Authentication

Overview org.apache.tomcat:catalina is a Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as t...

Timing Attack

Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack...

br.com.arsmachina:tapestry-url-rewriter (>=1.0.1 <=2.0.0), br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2) +294 more potentially affected by CVE-2026-43515 via org.apache.tomcat:catalina (>=6.0.13 <=6.0.53)

org.apache.tomcat:catalina MAVEN version =6.0.13, =1.0.1, =1.2.1, =0.1, =7.12.0, =1.0.0, =1.0.3, =9.0.3, =9.0.3, =0.7.1, =1.5, =1.8.2, =0.9.0, =1.0.0 and more Source cves: CVE-2026-43515 Source advisory: SNYK:JAVA-ORGAPACHETOMCAT-16690891...

Timing Attack

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret ...

DEBIAN-CVE-2026-43514

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versio...

CVE-2026-43514

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versio...