261 matches found
CVE-2005-4703
CVE-2005-4703 affects Apache Tomcat 4.0.3 on Windows. When a request targets a file whose name matches an MS-DOS device name (e.g., lpt9), the server may disclose the pathname in an error message (demonstrated by lpt9.xtp, e.g., via Nikto). Root cause: improper handling of MS-DOS device names lea...
CVE-2002-2009
Affected software: Apache Tomcat 4.0.1. Vulnerability: Information disclosure where remote attackers can obtain the web root/pathname by triggering error pages for JSP requests that use a leading sequence (+/, >/,
CVE-2026-34486
CVE-2026-34486 is a Tomcat Tribes EncryptInterceptor regression: when decryption fails, the code path previously moved super.messageReceived(msg) outside the try block, causing raw serialized bytes to bypass encryption and reach deserialization, enabling unauthenticated RCE via Java deserializati...
CVE-2026-43513
CVE-2026-43513 : Apache Tomcat has an improper handling of case sensitivity in LockOutRealm. Affects Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109 (older unsupported versions may also be affected). Upgrading...
CVE-2026-24880
CVE-2026-24880 describes an HTTP Request/Response Smuggling vulnerability in Apache Tomcat caused by inconsistent interpretation of HTTP requests via invalid chunk extension. Affected products include Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M1 through 9.0.115, 8.5.0 thr...
CVE-2026-29129
CVE-2026-29129 is a vulnerability in Apache Tomcat where the configured cipher preference order is not preserved. It affects Tomcat versions 11.0.16–11.0.18, 10.1.51–10.1.52, and 9.0.114–9.0.115, per multiple sources (NVD, Debian security advisories, EUVD). The issue can impact confidentiality (C...
CVE-2026-34483
CVE-2026-34483 is an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. Affected versions: Tomcat 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. Exploitation concerns are not detailed in the provided docum...
CVE-2026-34500
CVE-2026-34500 affects Apache Tomcat, where CLIENT_CERT authentication may bypass non-failing behavior in scenarios with soft fail disabled and FFM . Affected versions are: Tomcat 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. The issue is resolved by upgrading t...
CVE-2026-24733
CVE-2026-24733 describes an Improper Input Validation in Apache Tomcat where HTTP/0.9 HEAD requests can bypass security constraints intended for GET. Affected: Apache Tomcat 11.0.0-M1–11.0.14, 10.1.0-M1–10.1.49, 9.0.0.M1–9.0.112 (plus older EOL as noted). The root cause is failure to restrict HTT...
CVE-2026-32990
CVE-2026-32990 is an Apache Tomcat vulnerability caused by an incomplete fix of CVE-2025-66614 (improper input validation). Affected are Tomcat 11.0.15–11.0.19, 10.1.50–10.1.52, and 9.0.113–9.0.115. Upgrading to fixed releases 11.0.20, 10.1.53, or 9.0.116 is recommended. Other connected advisorie...
CVE-2026-34487
CVE-2026-34487 : Apache Tomcat contains an information disclosure vulnerability titled “Insertion of Sensitive Information into Log File” in the cloud membership for the clustering component, exposing the Kubernetes bearer token. Affected versions include Tomcat 11.0.0-M1 through 11.0.20, 10.1.0-...