K000161603: Apache Tomcat vulnerability CVE-2026-32990

Security Advisory Description Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to versio...

Astra Linux - уязвимость в tomcat9

A vulnerability exists in the improper encoding or escaping of output in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: versions from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, and from 9.0.40 through 9.0.116. Users are recommended to upgrade ...

Astra Linux - уязвимость в tomcat9

There is a vulnerability in Apache Tomcat known as “Allocation of Resources Without Limits or Throttling”. This issue affects Apache Tomcat versions ranging from 11.0.0-M1 to 11.0.21, from 10.1.0-M1 to 10.1.54, and from 9.0.0.M1 to 9.0.117. Older, unsupported versions may also be affected. It is...

Astra Linux - уязвимость в tomcat9

There is an improper neutralization of vulnerabilities related to escape, meta, or control sequences in Apache Tomcat. For a subset of uncommon rewrite rule configurations, it was possible for a specially crafted request to bypass certain rewrite rules. If these rewrite rules effectively enforced...

Astra Linux - уязвимость в tomcat9

In Apache Tomcat versions 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64, and 8.5.50 to 8.5.81, the Form authentication example in the sample web application displayed user-provided data without filtering, exposing an XSS vulnerability...

Astra Linux - уязвимость в tomcat9

There is a vulnerability related to uncontrolled resource consumption in Apache Tomcat, especially when an HTTP/2 client does not acknowledge the initial settings frame that reduces the maximum number of concurrent streams allowed. This issue affects Apache Tomcat versions from 11.0.0-M1 through...

SUSE CVE-2026-43514

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versio...

GHSA-5M62-PW8W-7W9F Apache Tomcat - Security constraints not correctly applied

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the...

GHSA-9M89-8FRQ-C98C Apache Tomcat - AJP secret compared in non-constant time

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: The AJP secret was compared in non-constant time allowing an attacker on the local network to mount a timing...

Allocation of Resources Without Limits or Throttling

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause excessive resource consumption by...

Improper Authentication

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown...

CVE-2026-43513

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions...

Apache Tomcat 安全漏洞

Apache Tomcat is a lightweight web application server developed by the Apache Foundation in the United States. It supports Servlet and JavaServer Page JSP technologies. Security vulnerabilities exist in versions of Apache Tomcat ranging from 11.0.0-M1 to 11.0.21, from 10.1.0-M1 to 10.1.54, from...

Unity Linux 20.1060e / 20.1070e Security Update: tomcat (UTSA-2026-017616)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017616 advisory. The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration...

CVE-2026-40075

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the /openmrs/moduleResources/moduleid endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from...

CVE-2026-40075

OpenMRS Core <2.8.6 and 2.8.0–2.8.5 exposes a path traversal in ModuleResourcesServlet (/openmrs/moduleResources/{moduleid}) due to unsafe path construction without normalization, allowing unauthenticated reading of arbitrary files (e.g., /etc/passwd). Tomcat

CVE-2026-40075

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the /openmrs/moduleResources/moduleid endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Improper Input Validation in Apache Tomcat [CVE-2026-24734]

Summary IBM Watson Speech Services Cartridge is vulnerable to Improper Input Validation in Apache Tomcat, due to a failure to complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed CVE-2026-24734. Apache Tomcat is used in our speech...

BIT-TOMCAT-2026-29145 Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0 through 11.0.18, from 10.1.0 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: fr...

PT-2026-32441

CLIENT CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0 through 11.0.18, from 10.1.0 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native:...