Apache Tomcat 9.0.113 < 9.0.116 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 9.0.116. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat9.0.116security-9 advisory. - CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled...

UBUNTU-CVE-2026-24733

Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a specification inval...

Improper Authorization

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authorization in prepareRequestProtocol, which accepts HTTP/0.9 requests other than GET. A security constraint configured to allow HEAD requests to a UR...

KLA90892 SB vulnerabilities in Apache Tomcat

Security vulnerabilities were found in Apache Tomcat. Malicious users can exploit these vulnerabilities to bypass security restrictions. Original advisories Fixed in Apache Tomcat 9.0.113 Exploitation Related products Apache-Tomcat CVE list CVE-2025-66614 unknown CVE-2026-24733 unknown Solution...