| CVE-2026-43512 |
critical |
9.8 |
9.8 |
|
|
|
16d ago |
Apache Tomcat - Digest authenticator will authenticate any unknown user |
| CVE-2026-41293 |
critical |
9.8 |
9.8 |
|
|
|
16d ago |
Apache Tomcat - HTTP/2 request headers not validated |
| CVE-2025-55754 |
critical |
9.6 |
9.6 |
|
|
|
10d ago |
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences |
| CVE-2026-43515 |
critical |
9.1 |
9.1 |
|
|
|
16d ago |
Apache Tomcat - Security constraints not correctly applied |
| CVE-2017-5648 |
critical |
9.1 |
9.1 |
|
|
|
9y ago |
Exposure of Resource to Wrong Sphere in Apache Tomcat |
| CVE-2016-5388 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
Improper Access Control in Apache Tomcat |
| CVE-2025-46701 |
high |
— |
8.0 |
|
|
|
10d ago |
Apache Tomcat - CGI security constraint bypass |
| CVE-2025-55668 |
high |
— |
8.0 |
|
|
|
10d ago |
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Old… |
| CVE-2025-31651 |
high |
— |
8.0 |
|
|
|
6mo ago |
Apache Tomcat Rewrite rule bypass |
| CVE-2025-48988 |
high |
— |
8.0 |
|
|
|
9mo ago |
Apache Tomcat - DoS in multipart upload |
| CVE-2025-49125 |
high |
— |
8.0 |
|
|
|
9mo ago |
Apache Tomcat - Security constraint bypass for pre/post-resources |
| CVE-2025-52520 |
high |
— |
8.0 |
|
|
|
9mo ago |
Apache Tomcat Catalina is vulnerable to DoS attack through bypassing of size limits |
| CVE-2024-56337 |
high |
— |
8.0 |
|
|
|
11mo ago |
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability |
| CVE-2025-24813 |
medium |
— |
8.0 |
|
|
|
1y ago |
Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. |
| CVE-2023-46589 |
high |
— |
8.0 |
|
|
|
2y ago |
Apache Tomcat Improper Input Validation vulnerability |
| CVE-2020-9484 |
high |
— |
8.0 |
|
|
|
6y ago |
Potential remote code execution in Apache Tomcat |
| CVE-2026-43513 |
high |
7.5 |
7.5 |
|
|
|
16d ago |
Apache Tomcat: LockOutRealm treats user names as case-sensitive |
| CVE-2026-41284 |
high |
7.5 |
7.5 |
|
|
|
16d ago |
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling |
| CVE-2025-55752 |
high |
7.5 |
7.5 |
|
|
|
6mo ago |
Apache Tomcat Vulnerable to Relative Path Traversal |
| CVE-2017-12616 |
high |
7.5 |
7.5 |
|
|
|
9y ago |
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat |
| CVE-2026-42498 |
high |
7.3 |
7.3 |
|
|
|
16d ago |
Apache Tomcat - WebSocket authentication header exposure |
| CVE-2024-50379 |
medium |
— |
5.5 |
|
|
|
11mo ago |
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability |
| CVE-2023-28708 |
medium |
— |
5.5 |
|
|
|
3y ago |
Moderate: tomcat security and bug fix update |
| CVE-2025-61795 |
medium |
5.3 |
5.3 |
|
|
|
7mo ago |
Apache Tomcat Vulnerable to Improper Resource Shutdown or Release |
| CVE-2012-5886 |
medium |
— |
5.0 |
|
|
|
14y ago |
Improper Authentication in Apache Tomcat |
| CVE-2014-0119 |
medium |
— |
4.3 |
|
|
|
12y ago |
Missing XML Validation in Apache Tomcat |
| CVE-2014-0096 |
medium |
— |
4.3 |
|
|
|
12y ago |
Improper Input Validation in Apache Tomcat |
| CVE-2026-43514 |
low |
3.7 |
3.7 |
|
|
|
16d ago |
Apache Tomcat - AJP secret compared in non-constant time |
| CVE-2024-54677 |
low |
— |
2.5 |
|
|
|
2y ago |
Apache Tomcat Uncontrolled Resource Consumption vulnerability |
| CVE-2017-12617 |
unknown |
— |
2.5 |
|
|
|
4y ago |
When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the serv… |
| CVE-2016-8735 |
unknown |
— |
1.5 |
|
|
|
4y ago |
Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This C… |
| CVE-2026-34483 |
unknown |
— |
— |
|
|
|
2mo ago |
Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve |
| CVE-2026-34487 |
unknown |
— |
— |
|
|
|
2mo ago |
Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File |
| CVE-2026-25854 |
unknown |
— |
— |
|
|
|
2mo ago |
Apache Tomcat has an Open Redirect vulnerability |
| CVE-2026-24733 |
unknown |
— |
— |
|
|
|
3mo ago |
Apache Tomcat - Security constraint bypass with HTTP/0.9 |
| CVE-2025-66614 |
unknown |
— |
— |
|
|
|
3mo ago |
Apache Tomcat - Client certificate verification bypass |
| CVE-2025-49124 |
unknown |
— |
— |
|
|
|
1y ago |
Apache Tomcat installer for Windows has an untrusted search path vulnerability |
| CVE-2024-52316 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Tomcat - Authentication Bypass |
| CVE-2022-45143 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Tomcat improperly escapes input from JsonErrorReportValve |