CVE-2009-3555 critical 9.8
10.0
17y ago
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9…
debian ubuntu fedora java +4
CVE-2026-43512 critical 9.8
9.8
16d ago
Apache Tomcat - Digest authenticator will authenticate any unknown user
suse debian java apache
CVE-2026-41293 critical 9.8
9.8
16d ago
Apache Tomcat - HTTP/2 request headers not validated
suse debian java apache
CVE-2025-55754 critical 9.6
9.6
10d ago
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
redhat suse debian java +1
CVE-2026-29145 critical —
9.5
2mo ago
Apache Tomcat: CLIENT_CERT authentication does not fail as expected
suse debian java
CVE-2026-43515 critical 9.1
9.1
16d ago
Apache Tomcat - Security constraints not correctly applied
suse debian java apache
CVE-2016-0714 high 8.8
8.8
10y ago
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticat…
debian ubuntu java apache
CVE-2015-5351 high 8.8
8.8
10y ago
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, wh…
suse debian ubuntu java +1
CVE-2015-5346 high 8.1
8.1
10y ago
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the sam…
suse debian ubuntu java +1
CVE-2026-29129 high —
8.0
2mo ago
Apache Tomcat: Configured cipher preference order not preserved
suse debian java
CVE-2021-42340 high —
8.0
4y ago
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics f…
redhat arch debian java
CVE-2020-13935 high —
8.0
4y ago
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could t…
arch suse debian java
CVE-2020-13934 high —
8.0
4y ago
Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat
arch suse debian java
CVE-2014-0230 high —
7.8
11y ago
Uncontrolled Resource Consumption in Apache Tomcat
java apache oracle
CVE-2026-43513 high 7.5
7.5
16d ago
Apache Tomcat: LockOutRealm treats user names as case-sensitive
suse debian java apache
CVE-2026-41284 high 7.5
7.5
16d ago
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
suse debian java apache
CVE-2026-34486 high 7.5
7.5
2mo ago
Apache Tomcat Missing Encryption of Sensitive Data vulnerability
suse debian java apache
CVE-2025-55752 high 7.5
7.5
6mo ago
Important: tomcat security update
rockylinux redhat suse debian +2
CVE-2017-7675 high 7.5
7.5
9y ago
Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat
suse debian java apache
CVE-2016-6796 high 7.5
7.5
9y ago
Apache Tomcat vulnerable to SecurityManager bypass
suse debian redhat ubuntu +3
CVE-2016-6817 high 7.5
7.5
9y ago
Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat
debian java apache
CVE-2016-6797 high 7.5
7.5
9y ago
Incorrect Authorization in Apache Tomcat
suse debian redhat ubuntu +3
CVE-2017-5664 high 7.5
7.5
9y ago
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwa…
suse debian java apache
CVE-2017-5650 high 7.5
7.5
9y ago
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting f…
debian java apache
CVE-2017-5647 high 7.5
7.5
9y ago
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
suse debian java apache
CVE-2014-0050 high —
7.5
12y ago
Commons FileUpload Denial of service vulnerability
debian java apache oracle
CVE-2013-2185 high —
7.5
13y ago
Deserialization of Untrusted Data in Apache Tomcat
java apache redhat
CVE-2011-3190 high —
7.5
15y ago
Apache Tomcat Allows Remote Attackers to Spoof AJP Requests
java apache
CVE-2026-42498 high 7.3
7.3
16d ago
Apache Tomcat - WebSocket authentication header exposure
suse debian java apache
CVE-2026-43514 low 3.7
3.7
16d ago
Apache Tomcat - AJP secret compared in non-constant time
suse debian java apache
CVE-2013-2071 low —
2.6
13y ago
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
java apache
CVE-2010-1157 low —
2.6
16y ago
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
java apache
CVE-2024-54677 low —
2.5
2y ago
Apache Tomcat Uncontrolled Resource Consumption vulnerability
suse debian java
CVE-2011-2204 low —
1.9
15y ago
Insertion of Sensitive Information into Log File in Apache Tomcat
java apache
CVE-2010-3718 low —
1.2
16y ago
Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat
java apache
CVE-2026-32990 unknown —
—
2mo ago
Apache Tomcat has an Improper Input Validation vulnerability
debian java
CVE-2025-49124 unknown —
—
1y ago
Apache Tomcat installer for Windows has an untrusted search path vulnerability
suse debian java
CVE-2022-34305 unknown —
—
4y ago
Cross-site Scripting in Apache Tomcat
suse debian java
CVE-2012-5887 unknown —
—
4y ago
Improper Authentication in Apache Tomcat
java
CVE-2017-15706 unknown —
—
4y ago
Inconsistent documentation in Apache Tomcat
suse debian java
CVE-2009-0033 unknown —
—
4y ago
Apache Tomcat Denial of Service via Malformed Request Headers
java
CVE-2008-4308 unknown —
—
4y ago
Apache Tomcat information disclosure vulnerability
java
CVE-2008-0002 unknown —
—
4y ago
Apache Tomcat Sensitive Information Disclosure
java
CVE-2007-3384 unknown —
—
4y ago
Apache Tomcat's CookieExample Vulnerable to XSS
java
CVE-2007-3385 unknown —
—
4y ago
Apache Tomcat Mishandles Character Sequence in Cookies
java
CVE-2007-2450 unknown —
—
4y ago
Apache Tomcat vulnerable to Cross-site Scripting
java
CVE-2007-0450 unknown —
—
4y ago
Apache Tomcat Directory Traversal
java
CVE-2005-3510 unknown —
—
4y ago
Apache Tomcat Vulnerable to Denial of Service (DoS) via Simultaneous Requests
java
CVE-2002-2006 unknown —
—
4y ago
Apache Tomcat Default Installation Reveals Sensitive Information
java
CVE-2002-1567 unknown —
—
4y ago
Apache Tomcat XSS Vulnerability
java
CVE-2002-1394 unknown —
—
4y ago
Apache Tomcat Source Code Disclosure
java
CVE-2001-0917 unknown —
—
4y ago
Apache Tomcat Reveals Path through Long URL
java
CVE-2001-0829 unknown —
—
4y ago
Apache Tomcat allows webmasters to insert xss into error messages
java
CVE-2000-1210 unknown —
—
4y ago
Apache Tomcat Directory Traversal
java
CVE-2003-0866 unknown —
—
4y ago
Apache Tomcat Denial of Service vulnerability in the Catalina package
java
CVE-2003-0044 unknown —
—
4y ago
Jakarta Tomcat cross-site scripting (XSS) vulnerability
java
CVE-2021-41079 unknown —
—
5y ago
Infinite loop in Tomcat due to parsing error
suse debian java
CVE-2021-30640 unknown —
—
5y ago
Authentication Bypass by Alternate Name in Apache Tomcat
suse debian java
CVE-2021-33037 unknown —
—
5y ago
HTTP Request Smuggling in Apache Tomcat
suse debian java
CVE-2021-30639 unknown —
—
5y ago
Improper Handling of Exceptional Conditions in Apache Tomcat
debian java
CVE-2019-17569 unknown —
—
6y ago
Potential HTTP request smuggling in Apache Tomcat
debian java