Tomcat
Monthly
CLIENT_CERT authentication bypass in Apache Tomcat allows unauthenticated remote attackers to bypass certificate-based authentication when soft fail is disabled and Foreign Function Memory (FFM) is enabled, affecting Tomcat 9.0.92-9.0.116, 10.1.22-10.1.53, and 11.0.0-M14-11.0.20. The vulnerability has a CVSS score of 6.5 with high confidentiality impact and partial integrity impact; however, the EPSS score of 0.04% (11th percentile) indicates very low real-world exploitation probability, and no public exploit code or confirmed active exploitation has been identified.
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent the EncryptInterceptor component, exposing sensitive data in cleartext. The vulnerability stems from an incomplete fix for CVE-2026-29146, enabling network-accessible adversaries to access confidential information without authentication. CVSS 7.5 (High severity) reflects network-based exploitation with low complexity and high confidentiality impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, and 11.0.0-M1-11.0.18 when default configuration is deployed. Unauthenticated remote attackers exploit oracle responses to decrypt sensitive information without authentication (CVSS:3.1 AV:N/AC:L/PR:N). CWE-209 (information exposure through error messages) enables cryptographic side-channel extraction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).
Cipher preference order enforcement failure in Apache Tomcat 9.0.114-9.0.115, 10.1.51-10.1.52, and 11.0.16-11.0.18 allows unauthenticated remote attackers to force selection of weaker cryptographic ciphers during TLS negotiation, enabling potential decryption of confidential data transmitted over HTTPS connections. The vulnerability stems from improper preservation of administrator-configured cipher suite priority, potentially exposing sensitive session data, credentials, or application content. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network-accessible confidentiality impact requiring no privileges.
Open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve allows unauthenticated remote attackers to redirect users to untrusted sites via crafted URLs. Affects Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. The vulnerability requires user interaction (clicking a malicious link) and has low real-world exploitation probability (EPSS 0.01%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQueue→TemplatesImpl gadget chain with libraries bundled in OpenAM's WAR file. Vendor-released patch available in version 16.0.6 (GitHub commit 014007c). No public exploit code identified at time of analysis, but detailed technical writeup with gadget chain specifics has been published.
Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.9 with scope change — affects one of the largest Java CMS platforms.
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. [CVSS 7.5 HIGH]
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. [CVSS 3.7 LOW]
Input validation vulnerability in Apache Tomcat affecting versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Critical severity issue in one of the most widely deployed Java application servers.
In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2025-52520 is an integer overflow vulnerability in Apache Tomcat's multipart upload handling that allows unauthenticated remote attackers to bypass size limits and trigger denial of service. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and EOL version 8.5.0 through 8.5.100, requiring only network access with no authentication. With a CVSS score of 7.5 (High severity) and an attack vector rated as Network/Low complexity, this represents a significant availability risk for unpatched deployments.
Apache Tomcat contains a race condition vulnerability in the APR/Native connector that can be triggered during concurrent HTTP/2 connection handling, particularly when clients initiate connection closes. The vulnerability affects Tomcat 9.0.0.M1 through 9.0.106 (and EOL versions 8.5.0-8.5.100), allowing remote unauthenticated attackers to cause denial of service through improper synchronization of shared resources. With a CVSS score of 7.5 and network-accessible attack vector requiring no authentication, this represents a high-severity availability impact, though no active public exploitation has been confirmed.
CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.
A security vulnerability in Apache Tomcat installer for Windows (CVSS 8.4). High severity vulnerability requiring prompt remediation.
A remote code execution vulnerability in Apache Tomcat (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.3%.
N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CLIENT_CERT authentication bypass in Apache Tomcat allows unauthenticated remote attackers to bypass certificate-based authentication when soft fail is disabled and Foreign Function Memory (FFM) is enabled, affecting Tomcat 9.0.92-9.0.116, 10.1.22-10.1.53, and 11.0.0-M14-11.0.20. The vulnerability has a CVSS score of 6.5 with high confidentiality impact and partial integrity impact; however, the EPSS score of 0.04% (11th percentile) indicates very low real-world exploitation probability, and no public exploit code or confirmed active exploitation has been identified.
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent the EncryptInterceptor component, exposing sensitive data in cleartext. The vulnerability stems from an incomplete fix for CVE-2026-29146, enabling network-accessible adversaries to access confidential information without authentication. CVSS 7.5 (High severity) reflects network-based exploitation with low complexity and high confidentiality impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, and 11.0.0-M1-11.0.18 when default configuration is deployed. Unauthenticated remote attackers exploit oracle responses to decrypt sensitive information without authentication (CVSS:3.1 AV:N/AC:L/PR:N). CWE-209 (information exposure through error messages) enables cryptographic side-channel extraction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).
Cipher preference order enforcement failure in Apache Tomcat 9.0.114-9.0.115, 10.1.51-10.1.52, and 11.0.16-11.0.18 allows unauthenticated remote attackers to force selection of weaker cryptographic ciphers during TLS negotiation, enabling potential decryption of confidential data transmitted over HTTPS connections. The vulnerability stems from improper preservation of administrator-configured cipher suite priority, potentially exposing sensitive session data, credentials, or application content. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network-accessible confidentiality impact requiring no privileges.
Open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve allows unauthenticated remote attackers to redirect users to untrusted sites via crafted URLs. Affects Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. The vulnerability requires user interaction (clicking a malicious link) and has low real-world exploitation probability (EPSS 0.01%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQueue→TemplatesImpl gadget chain with libraries bundled in OpenAM's WAR file. Vendor-released patch available in version 16.0.6 (GitHub commit 014007c). No public exploit code identified at time of analysis, but detailed technical writeup with gadget chain specifics has been published.
Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.9 with scope change — affects one of the largest Java CMS platforms.
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. [CVSS 7.5 HIGH]
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. [CVSS 3.7 LOW]
Input validation vulnerability in Apache Tomcat affecting versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Critical severity issue in one of the most widely deployed Java application servers.
In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2025-52520 is an integer overflow vulnerability in Apache Tomcat's multipart upload handling that allows unauthenticated remote attackers to bypass size limits and trigger denial of service. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and EOL version 8.5.0 through 8.5.100, requiring only network access with no authentication. With a CVSS score of 7.5 (High severity) and an attack vector rated as Network/Low complexity, this represents a significant availability risk for unpatched deployments.
Apache Tomcat contains a race condition vulnerability in the APR/Native connector that can be triggered during concurrent HTTP/2 connection handling, particularly when clients initiate connection closes. The vulnerability affects Tomcat 9.0.0.M1 through 9.0.106 (and EOL versions 8.5.0-8.5.100), allowing remote unauthenticated attackers to cause denial of service through improper synchronization of shared resources. With a CVSS score of 7.5 and network-accessible attack vector requiring no authentication, this represents a high-severity availability impact, though no active public exploitation has been confirmed.
CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.
A security vulnerability in Apache Tomcat installer for Windows (CVSS 8.4). High severity vulnerability requiring prompt remediation.
A remote code execution vulnerability in Apache Tomcat (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.3%.
N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.