CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-24734 – Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass
https://notcve.org/view.php?id=CVE-2026-24734
17 Feb 2026 — Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The foll... • https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-24733 – Apache Tomcat: Security constraint bypass with HTTP/0.9
https://notcve.org/view.php?id=CVE-2026-24733
17 Feb 2026 — Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. • https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-66614 – Apache Tomcat: Client certificate verification bypass due to virtual host mapping
https://notcve.org/view.php?id=CVE-2025-66614
17 Feb 2026 — Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one ... • https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-61795 – Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS
https://notcve.org/view.php?id=CVE-2025-61795
27 Oct 2025 — Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. ... • https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp • CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-55752 – Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled
https://notcve.org/view.php?id=CVE-2025-55752
27 Oct 2025 — Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests... • https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog • CWE-23: Relative Path Traversal •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-55754 – Apache Tomcat: console manipulation via escape sequences in log messages
https://notcve.org/view.php?id=CVE-2025-55754
27 Oct 2025 — Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vect... • https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-53506 – Apache Tomcat: DoS via excessive h2 streams at connection start
https://notcve.org/view.php?id=CVE-2025-53506
10 Jul 2025 — Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge... • https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-52520 – Apache Tomcat: DoS via integer overflow in multipart file upload
https://notcve.org/view.php?id=CVE-2025-52520
10 Jul 2025 — For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassi... • https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5 • CWE-190: Integer Overflow or Wraparound •
CVSS: 8.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-49124 – Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows
https://notcve.org/view.php?id=CVE-2025-49124
16 Jun 2025 — Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. • https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv • CWE-426: Untrusted Search Path •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 2CVE-2025-49125 – Apache Tomcat: Security constraint bypass for pre/post-resources
https://notcve.org/view.php?id=CVE-2025-49125
16 Jun 2025 — Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 th... • https://github.com/gregk4sec/CVE-2025-49125 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •