| CVE-2009-3555 |
critical |
9.8 |
10.0 |
17y ago |
Apache Tomcat affected by vulnerability in TLS and SSL protocol |
+4 |
| CVE-2026-43512 |
critical |
9.8 |
9.8 |
16d ago |
Apache Tomcat - Digest authenticator will authenticate any unknown user |
|
| CVE-2026-41293 |
critical |
9.8 |
9.8 |
16d ago |
Apache Tomcat - HTTP/2 request headers not validated |
|
| CVE-2025-55754 |
critical |
9.6 |
9.6 |
10d ago |
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences |
+1 |
| CVE-2026-29145 |
critical |
— |
9.5 |
2mo ago |
Apache Tomcat: CLIENT_CERT authentication does not fail as expected |
|
| CVE-2026-43515 |
critical |
9.1 |
9.1 |
16d ago |
Apache Tomcat - Security constraints not correctly applied |
|
| CVE-2016-0714 |
high |
8.8 |
8.8 |
10y ago |
Improper Access Control in Apache Tomcat |
|
| CVE-2015-5351 |
high |
8.8 |
8.8 |
10y ago |
Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by using a token |
+1 |
| CVE-2015-5346 |
high |
8.1 |
8.1 |
10y ago |
Improper Neutralization of Input During Web Page Generation in Apache Tomcat |
+1 |
| CVE-2026-29129 |
high |
— |
8.0 |
2mo ago |
Apache Tomcat: Configured cipher preference order not preserved |
|
| CVE-2021-42340 |
high |
— |
8.0 |
4y ago |
Missing Release of Resource after Effective Lifetime in Apache Tomcat |
|
| CVE-2020-13935 |
high |
— |
8.0 |
4y ago |
Infinite Loop in Apache Tomcat |
|
| CVE-2020-13934 |
high |
— |
8.0 |
4y ago |
Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat |
|
| CVE-2014-0230 |
high |
— |
7.8 |
11y ago |
Uncontrolled Resource Consumption in Apache Tomcat |
|
| CVE-2026-43513 |
high |
7.5 |
7.5 |
16d ago |
Apache Tomcat: LockOutRealm treats user names as case-sensitive |
|
| CVE-2026-41284 |
high |
7.5 |
7.5 |
16d ago |
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling |
|
| CVE-2026-34486 |
high |
7.5 |
7.5 |
2mo ago |
Apache Tomcat Missing Encryption of Sensitive Data vulnerability |
|
| CVE-2025-55752 |
high |
7.5 |
7.5 |
6mo ago |
Apache Tomcat Vulnerable to Relative Path Traversal |
+2 |
| CVE-2017-7675 |
high |
7.5 |
7.5 |
9y ago |
Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat |
|
| CVE-2016-6796 |
high |
7.5 |
7.5 |
9y ago |
Apache Tomcat vulnerable to SecurityManager bypass |
+3 |
| CVE-2016-6817 |
high |
7.5 |
7.5 |
9y ago |
Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat |
|
| CVE-2016-6797 |
high |
7.5 |
7.5 |
9y ago |
Incorrect Authorization in Apache Tomcat |
+3 |
| CVE-2017-5664 |
high |
7.5 |
7.5 |
9y ago |
Improper Handling of Exceptional Conditions in Apache Tomcat |
|
| CVE-2017-5650 |
high |
7.5 |
7.5 |
9y ago |
Improper Resource Shutdown or Release in Apache Tomcat |
|
| CVE-2017-5647 |
high |
7.5 |
7.5 |
9y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
|
| CVE-2014-0050 |
high |
— |
7.5 |
12y ago |
Commons FileUpload Denial of service vulnerability |
|
| CVE-2013-2185 |
high |
— |
7.5 |
13y ago |
Deserialization of Untrusted Data in Apache Tomcat |
|
| CVE-2011-3190 |
high |
— |
7.5 |
15y ago |
Apache Tomcat Allows Remote Attackers to Spoof AJP Requests |
|
| CVE-2026-42498 |
high |
7.3 |
7.3 |
16d ago |
Apache Tomcat - WebSocket authentication header exposure |
|
| CVE-2013-4444 |
medium |
— |
6.8 |
12y ago |
Apache Tomcat Unrestricted file upload vulnerability |
|
| CVE-2013-2067 |
medium |
— |
6.8 |
13y ago |
Improper Authentication in Apache Tomcat |
|
| CVE-2014-0227 |
medium |
— |
6.4 |
11y ago |
Improper Input Validation in Apache Tomcat |
|
| CVE-2010-4312 |
medium |
— |
6.4 |
16y ago |
Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header |
|
| CVE-2010-2227 |
medium |
— |
6.4 |
16y ago |
Apache Tomcat does not properly handle an invalid Transfer-Encoding header |
|
| CVE-2016-0763 |
medium |
6.3 |
6.3 |
10y ago |
Improper Verification of Source of a Communication Channel in Apache Tomcat |
|
| CVE-2016-0762 |
medium |
5.9 |
5.9 |
9y ago |
Observable Discrepancy in Apache Tomcat |
+3 |
| CVE-2013-4286 |
medium |
— |
5.8 |
12y ago |
Apache Tomcat is vulnerable to HTTP request-smuggling |
|
| CVE-2011-1183 |
medium |
— |
5.8 |
15y ago |
Access controll bypass in Apache Tomcat |
|
| CVE-2011-1419 |
medium |
— |
5.8 |
15y ago |
Apache Tomcat does not follow ServletSecurity annotations |
|
| CVE-2011-1088 |
medium |
— |
5.8 |
15y ago |
Apache Tomcat allows remote attackers to bypass intended access restrictions |
|
| CVE-2009-2693 |
medium |
— |
5.8 |
17y ago |
Apache Tomcat Directory Traversal vulnerability |
|
| CVE-2023-41080 |
medium |
— |
5.5 |
2y ago |
Apache Tomcat Open Redirect vulnerability |
|
| CVE-2023-45648 |
medium |
— |
5.5 |
2y ago |
Apache Tomcat Improper Input Validation vulnerability |
|
| CVE-2023-42795 |
medium |
— |
5.5 |
2y ago |
Apache Tomcat Incomplete Cleanup vulnerability |
|
| CVE-2022-25762 |
medium |
— |
5.5 |
4y ago |
Improper socket reuse in Apache Tomcat |
|
| CVE-2020-11996 |
medium |
— |
5.5 |
4y ago |
Uncontrolled Resource Consumption in Apache Tomcat |
|
| CVE-2020-1935 |
medium |
— |
5.5 |
6y ago |
Potential HTTP request smuggling in Apache Tomcat |
|
| CVE-2025-61795 |
medium |
5.3 |
5.3 |
7mo ago |
Apache Tomcat Vulnerable to Improper Resource Shutdown or Release |
|
| CVE-2016-6794 |
medium |
5.3 |
5.3 |
9y ago |
System Property Disclosure in Apache Tomcat |
+3 |
| CVE-2015-5345 |
medium |
5.3 |
5.3 |
10y ago |
Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat |
+1 |
| CVE-2014-7810 |
medium |
— |
5.0 |
11y ago |
Improper Access Control in Apache Tomcat |
|
| CVE-2014-0075 |
medium |
— |
5.0 |
12y ago |
Integer Overflow or Wraparound in Apache Tomcat |
|
| CVE-2012-3544 |
medium |
— |
5.0 |
13y ago |
Apache Tomcat Vulnerable to Denial of Service (DoS) via Improper Handling of chunk extensions |
|
| CVE-2012-5885 |
medium |
— |
5.0 |
14y ago |
Improper Access Control in Apache Tomcat |
|
| CVE-2012-0022 |
medium |
— |
5.0 |
15y ago |
Denial of Service in Apache Tomcat |
|
| CVE-2011-3375 |
medium |
— |
5.0 |
15y ago |
Apache Tomcat Exposes IP Addresses and HTTP Headers of Requests |
|
| CVE-2011-5062 |
medium |
— |
5.0 |
15y ago |
Improper Authentication in Apache Tomcat |
|
| CVE-2011-1184 |
medium |
— |
5.0 |
15y ago |
Authentication Bypass in Apache Tomcat |
|
| CVE-2011-4858 |
medium |
— |
5.0 |
15y ago |
Improper Input Validation in Apache Tomcat |
|
| CVE-2011-1475 |
medium |
— |
5.0 |
15y ago |
Apache Tomcat HTTP BIO Connector Error Discloses Information From Different Requests to Remote Users |
|
| CVE-2010-4476 |
medium |
— |
5.0 |
16y ago |
Apache Tomcat affected by infinite loop in Double.parseDouble method in Java Runtime Environment |
|
| CVE-2011-0534 |
medium |
— |
5.0 |
16y ago |
Apache Tomcat does not enforce the maxHttpHeaderSize limit |
|
| CVE-2011-2481 |
medium |
— |
4.6 |
15y ago |
Apache Tomcat Allows Replacing of XML Parser |
|
| CVE-2011-2526 |
medium |
— |
4.4 |
15y ago |
Improper Input Validation in Apache Tomcat |
|
| CVE-2017-7674 |
medium |
4.3 |
4.3 |
9y ago |
Insufficient Verification of Data Authenticity in Apache Tomcat |
|
| CVE-2016-0706 |
medium |
4.3 |
4.3 |
10y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
+1 |
| CVE-2015-5174 |
medium |
4.3 |
4.3 |
10y ago |
Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat |
+1 |
| CVE-2014-0119 |
medium |
— |
4.3 |
12y ago |
Missing XML Validation in Apache Tomcat |
|
| CVE-2014-0099 |
medium |
— |
4.3 |
12y ago |
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat |
|
| CVE-2014-0096 |
medium |
— |
4.3 |
12y ago |
Improper Input Validation in Apache Tomcat |
|
| CVE-2014-0033 |
medium |
— |
4.3 |
12y ago |
Improper Input Validation in Apache Tomcat |
|
| CVE-2013-4590 |
medium |
— |
4.3 |
12y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
|
| CVE-2013-4322 |
medium |
— |
4.3 |
12y ago |
Apache Tomcat Denial of Service vulnerability |
|
| CVE-2012-4431 |
medium |
— |
4.3 |
14y ago |
Cross-Site Request Forgery in Apache Tomcat |
|
| CVE-2012-3546 |
medium |
— |
4.3 |
14y ago |
Authentication Bypass in Apache Tomcat |
|
| CVE-2011-5064 |
medium |
— |
4.3 |
15y ago |
Use of Hard-coded Cryptographic Key in Apache Tomcat |
|
| CVE-2011-5063 |
medium |
— |
4.3 |
15y ago |
Improper Authentication in Apache Tomcat |
|
| CVE-2011-1582 |
medium |
— |
4.3 |
15y ago |
Access restriction bypass in Apache Tomcat |
|
| CVE-2011-0013 |
medium |
— |
4.3 |
16y ago |
Improper Neutralization of Input During Web Page Generation in Apache Tomcat |
|
| CVE-2010-4172 |
medium |
— |
4.3 |
16y ago |
Improper Neutralization of Input During Web Page Generation in Apache Tomcat |
|
| CVE-2009-2902 |
medium |
— |
4.3 |
17y ago |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Tomcat |
|
| CVE-2009-2901 |
medium |
— |
4.3 |
17y ago |
Improper Authentication in Apache Tomcat |
|
| CVE-2026-34483 |
unknown |
— |
— |
2mo ago |
Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve |
|
| CVE-2026-34487 |
unknown |
— |
— |
2mo ago |
Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File |
|
| CVE-2026-32990 |
unknown |
— |
— |
2mo ago |
Apache Tomcat has an Improper Input Validation vulnerability |
|
| CVE-2026-29146 |
unknown |
— |
— |
2mo ago |
Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor |
|
| CVE-2026-25854 |
unknown |
— |
— |
2mo ago |
Apache Tomcat has an Open Redirect vulnerability |
|
| CVE-2026-24733 |
unknown |
— |
— |
3mo ago |
Apache Tomcat - Security constraint bypass with HTTP/0.9 |
|
| CVE-2025-66614 |
unknown |
— |
— |
3mo ago |
Apache Tomcat - Client certificate verification bypass |
|
| CVE-2025-49124 |
unknown |
— |
— |
1y ago |
Apache Tomcat installer for Windows has an untrusted search path vulnerability |
|
| CVE-2021-43980 |
unknown |
— |
— |
4y ago |
Apache Tomcat Race Condition vulnerability |
|
| CVE-2022-34305 |
unknown |
— |
— |
4y ago |
Cross-site Scripting in Apache Tomcat |
|
| CVE-2012-5887 |
unknown |
— |
— |
4y ago |
Improper Authentication in Apache Tomcat |
|
| CVE-2008-5515 |
unknown |
— |
— |
4y ago |
Directory Traversal in Apache Tomcat |
|
| CVE-2017-15706 |
unknown |
— |
— |
4y ago |
Inconsistent documentation in Apache Tomcat |
|
| CVE-2016-8747 |
unknown |
— |
— |
4y ago |
Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request |
|
| CVE-2022-29885 |
unknown |
— |
— |
4y ago |
Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption |
|
| CVE-2009-0783 |
unknown |
— |
— |
4y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
|
| CVE-2009-0781 |
unknown |
— |
— |
4y ago |
Cross-site scripting in Apache Tomcat |
|
| CVE-2009-0580 |
unknown |
— |
— |
4y ago |
Exposure of Sensitive Information in Apache Tomcat |
|