Apache tomcat
This hub aggregates every CVE we track for Apache tomcat, a product in the networking infrastructure space. Use it to gauge the current risk picture and drill into individual advisories.
264
CVEs tracked
18
Critical
90
High
6
In CISA KEV
Severity distribution
MEDIUM141HIGH90CRITICAL18LOW15
Monthly trend
0
0
0
4
3
0
0
1
2
1
3
3
2
0
3
0
0
0
3
0
10
7
7
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Apache tomcat.
- CVE-2026-55957Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind7.3
- CVE-2026-55956Apache Tomcat: Security constraints for default servlet ignored method6.5
- CVE-2026-55955Apache Tomcat: EncryptInterceptor not protected against replay attacks6.5
- CVE-2026-55276Apache Tomcat: Logged effective web.xml is incomplete9.1
- CVE-2026-53434Apache Tomcat: Invalid CRL configuration doesn't trigger failure for FFM Connector9.1
- CVE-2026-53404Apache Tomcat: Bad ornext processing in RewriteValve7.3
- CVE-2026-50229Apache Tomcat: XSS in number guess example6.1
- CVE-2026-43515Apache Tomcat: Security constraints not correctly applied9.1
- CVE-2026-43514Apache Tomcat: AJP secret compared in non-constant time3.7
- CVE-2026-43513Apache Tomcat: LockOutRealm treats user names as case-sensitive7.5
- CVE-2026-43512Apache Tomcat: Digest authenticator will authenticate any unknown user9.8
- CVE-2026-41293Apache Tomcat: HTTP/2 request headers not validated9.8
- CVE-2026-42498Apache Tomcat: WebSocket authentication header exposure7.3
- CVE-2026-41284Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling7.5
- CVE-2026-34500Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled6.5
Product normalization is registry-driven with AI assist and human review. How it works