Skip to main content

Tomcat CVE-2026-32990

| EUVDEUVD-2026-21018 MEDIUM
Improper Input Validation (CWE-20)
2026-04-09 apache GHSA-8mc5-53m5-3qj2
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:45 euvd
EUVD-2026-21018
Analysis Generated
Apr 09, 2026 - 19:45 vuln.today
CVE Published
Apr 09, 2026 - 19:23 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 82 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (13 direct, 69 indirect)
  • 1 maven packages depend on org.apache.tomcat:tomcat (1 direct, 0 indirect)
  • 513 maven packages depend on org.apache.tomcat:tomcat-catalina (3 direct, 510 indirect)
  • 15 maven packages depend on org.apache.tomcat:tomcat-coyote (4 direct, 11 indirect)

Ecosystem-wide dependent count for version 9.0.113 and other introduced versions.

DescriptionCVE.org

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

AnalysisAI

Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.

Technical ContextAI

This vulnerability stems from CWE-20 (Improper Input Validation) and represents an incomplete remediation of CVE-2025-66614. The issue affects Apache Tomcat's request processing pipeline, where insufficient validation of user-supplied input allows information disclosure. Tomcat is a widely-deployed open-source Java application server implementing the Jakarta Servlet and JavaServer Pages (JSP) specifications. The vulnerability operates over the network (CVSS AV:N) with low attack complexity (AC:L), meaning no special conditions or user interaction are required. The CPE identifier cpe:2.3:a:apache_software_foundation:apache_tomcat:*:*:*:*:*:*:*:* confirms this affects all Tomcat installations across the specified version ranges.

RemediationAI

Upgrade immediately to Apache Tomcat 11.0.20, 10.1.53, or 9.0.116, which contain the corrected input validation logic. Organizations on Tomcat 11.x should upgrade to 11.0.20 or later; those on 10.1.x should upgrade to 10.1.53 or later; and those on 9.0.x should upgrade to 9.0.116 or later. No interim workarounds are documented; patching is the primary remediation path. Consult the official Apache Tomcat advisory at https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7 and https://nvd.nist.gov/vuln/detail/CVE-2026-32990 for release notes and additional deployment guidance.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-32990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy