CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-49124 – Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows
https://notcve.org/view.php?id=CVE-2025-49124
16 Jun 2025 — Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. • https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv • CWE-426: Untrusted Search Path •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2025-49125 – Apache Tomcat: Security constraint bypass for pre/post-resources
https://notcve.org/view.php?id=CVE-2025-49125
16 Jun 2025 — Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 th... • https://github.com/gregk4sec/CVE-2025-49125 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-48988 – Apache Tomcat: FileUpload large number of parts with headers DoS
https://notcve.org/view.php?id=CVE-2025-48988
16 Jun 2025 — Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. • https://github.com/Samb102/POC-CVE-2025-48988-CVE-2025-48976 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-46701 – Apache Tomcat: Security constraint bypass for CGI scripts
https://notcve.org/view.php?id=CVE-2025-46701
29 May 2025 — Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. • https://github.com/gregk4sec/CVE-2025-46701 • CWE-178: Improper Handling of Case Sensitivity •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-31651 – Apache Tomcat: Bypass of rules in Rewrite Valve
https://notcve.org/view.php?id=CVE-2025-31651
28 Apr 2025 — Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERS... • https://github.com/gregk4sec/CVE-2025-31651 • CWE-116: Improper Encoding or Escaping of Output CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 7CVE-2025-31650 – Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
https://notcve.org/view.php?id=CVE-2025-31650
28 Apr 2025 — Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fi... • https://packetstorm.news/files/id/200672 • CWE-20: Improper Input Validation CWE-459: Incomplete Cleanup •
CVSS: 10.0EPSS: 93%CPEs: 3EXPL: 40CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability
https://notcve.org/view.php?id=CVE-2025-24813
28 Feb 2025 — Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (... • https://packetstorm.news/files/id/189826 • CWE-44: Path Equivalence: 'file.name' (Internal Dot) CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 5%CPEs: 3EXPL: 0CVE-2024-56337 – Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete
https://notcve.org/view.php?id=CVE-2024-56337
20 Dec 2024 — Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which... • https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 5.3EPSS: 2%CPEs: 3EXPL: 0CVE-2024-54677 – Apache Tomcat: DoS in examples web application
https://notcve.org/view.php?id=CVE-2024-54677
17 Dec 2024 — Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. A flaw was found in the "examples" web application of Apache Tomcat. Numerous examples within that application did not place limits on uploaded data. • https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 88%CPEs: 3EXPL: 20CVE-2024-50379 – Apache Tomcat: RCE due to TOCTOU issue in JSP compilation
https://notcve.org/view.php?id=CVE-2024-50379
17 Dec 2024 — Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue. Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability ... • https://github.com/yiliufeng168/CVE-2024-50379-POC • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •