Package impact

Maven / org.apache.tomcat:tomcat-catalina

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2026-43512	critical	9.8	9.8	15d ago	Apache Tomcat - Digest authenticator will authenticate any unknown user
CVE-2026-41293	critical	9.8	9.8	15d ago	Apache Tomcat - HTTP/2 request headers not validated
CVE-2025-55754	critical	9.6	9.6	9d ago	Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences	+1
CVE-2026-43515	critical	9.1	9.1	15d ago	Apache Tomcat - Security constraints not correctly applied
CVE-2017-5648	critical	9.1	9.1	9y ago	While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use th…
CVE-2016-5388	high	8.1	8.1	10y ago	Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted cli…	+1
CVE-2025-46701	high	—	8.0	9d ago	Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to th…	+1
CVE-2025-55668	high	—	8.0	9d ago	Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old…
CVE-2025-31651	high	—	8.0	6mo ago	Important: tomcat security update	+1
CVE-2025-48988	high	—	8.0	9mo ago	Important: tomcat security update	+2
CVE-2025-49125	high	—	8.0	9mo ago	Important: tomcat security update	+2
CVE-2025-52520	high	—	8.0	9mo ago	Important: tomcat security update	+1
CVE-2024-56337	high	—	8.0	11mo ago	Important: tomcat security update	+1
CVE-2023-46589	high	—	8.0	2y ago	Important: tomcat security update	+1
CVE-2020-9484	high	—	8.0	6y ago	Potential remote code execution in Apache Tomcat
CVE-2026-43513	high	7.5	7.5	15d ago	Apache Tomcat: LockOutRealm treats user names as case-sensitive
CVE-2026-41284	high	7.5	7.5	15d ago	Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
CVE-2025-55752	high	7.5	7.5	6mo ago	Important: tomcat security update	+2
CVE-2017-12616	high	7.5	7.5	9y ago	Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
CVE-2026-42498	high	7.3	7.3	15d ago	Apache Tomcat - WebSocket authentication header exposure
CVE-2025-24813	medium	—	7.0	1y ago	Moderate: tomcat security update	+1
CVE-2024-50379	medium	—	5.5	11mo ago	Moderate: tomcat security update	+1
CVE-2023-28708	medium	—	5.5	3y ago	Moderate: tomcat security and bug fix update
CVE-2025-61795	medium	5.3	5.3	7mo ago	Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
CVE-2012-5886	medium	—	5.0	14y ago	Improper Authentication in Apache Tomcat
CVE-2014-0119	medium	—	4.3	12y ago	Missing XML Validation in Apache Tomcat
CVE-2014-0096	medium	—	4.3	12y ago	Improper Input Validation in Apache Tomcat
CVE-2026-43514	low	3.7	3.7	15d ago	Apache Tomcat - AJP secret compared in non-constant time
CVE-2024-54677	low	—	2.5	2y ago	Apache Tomcat Uncontrolled Resource Consumption vulnerability
CVE-2017-12617	unknown	—	1.5	4y ago	When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the serv…
CVE-2016-8735	unknown	—	1.5	4y ago	Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This C…
CVE-2026-34483	unknown	—	—	2mo ago	Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 1…
CVE-2026-34487	unknown	—	—	2mo ago	Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat…
CVE-2026-25854	unknown	—	—	2mo ago	Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, fro…
CVE-2026-24733	unknown	—	—	3mo ago	Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny…
CVE-2025-66614	unknown	—	—	3mo ago	Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were…
CVE-2025-49124	unknown	—	—	1y ago	Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects A…
CVE-2024-52316	unknown	—	—	2y ago	Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception dur…
CVE-2022-45143	unknown	—	—	3y ago	The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use…