Skip to main content

Tomcat CVE-2026-24880

| EUVD-2026-21006 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-04-09 apache GHSA-563x-q5rq-57qp
Apache Information Disclosure Red Hat Tomcat Request Smuggling Suse
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:45 euvd
EUVD-2026-21006
Analysis Generated
Apr 09, 2026 - 19:45 vuln.today
CVE Published
Apr 09, 2026 - 19:12 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
  • 14 maven packages depend on org.apache.tomcat:tomcat-catalina (13 direct, 1 indirect)
  • 2 maven packages depend on org.apache.tomcat:tomcat-coyote (2 direct, 0 indirect)
  • 1 maven packages depend on org.apache.tomcat:tomcat-tribes (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 7.0.0 and other introduced versions.

DescriptionNVD

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

AnalysisAI

HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all Tomcat instances and identify those running versions 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, or 11.0.0-M1-11.0.18; document exposure scope and criticality. Within 7 days: Implement compensating controls (see below) on vulnerable instances and establish upgrade timeline. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2025-48977 HIGH
8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-42782 HIGH
7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
CVE-2026-43827 MEDIUM
5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

Share

CVE-2026-24880 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy