Vulnerability-Lookup

WID-SEC-W-2026-1514

Vulnerability from csaf_certbund - Published: 2026-05-12 22:00 - Updated: 2026-06-11 22:00

Summary

Apache Tomcat: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Apache Tomcat ist ein Web-Applikationsserver für verschiedene Plattformen.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, Daten zu manipulieren, einen Denial-of-Service-Zustand herbeizuführen oder andere, nicht spezifizierte bezeichnete Angriffe durchzuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-41284

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Apache Tomcat <10.1.55 Apache / Tomcat		<10.1.55
Apache Tomcat <11.0.22 Apache / Tomcat		<11.0.22
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache Tomcat <9.0.118 Apache / Tomcat		<9.0.118
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-41293

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Apache Tomcat <10.1.55 Apache / Tomcat		<10.1.55
Apache Tomcat <11.0.22 Apache / Tomcat		<11.0.22
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache Tomcat <9.0.118 Apache / Tomcat		<9.0.118
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-42498

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Apache Tomcat <10.1.55 Apache / Tomcat		<10.1.55
Apache Tomcat <11.0.22 Apache / Tomcat		<11.0.22
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache Tomcat <9.0.118 Apache / Tomcat		<9.0.118
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-43512

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Apache Tomcat <10.1.55 Apache / Tomcat		<10.1.55
Apache Tomcat <11.0.22 Apache / Tomcat		<11.0.22
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache Tomcat <9.0.118 Apache / Tomcat		<9.0.118
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-43513

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Apache Tomcat <10.1.55 Apache / Tomcat		<10.1.55
Apache Tomcat <11.0.22 Apache / Tomcat		<11.0.22
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache Tomcat <9.0.118 Apache / Tomcat		<9.0.118
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-43514

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Apache Tomcat <10.1.55 Apache / Tomcat		<10.1.55
Apache Tomcat <11.0.22 Apache / Tomcat		<11.0.22
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache Tomcat <9.0.118 Apache / Tomcat		<9.0.118
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-43515

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Apache Tomcat <10.1.55 Apache / Tomcat		<10.1.55
Apache Tomcat <11.0.22 Apache / Tomcat		<11.0.22
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Apache Tomcat <9.0.118 Apache / Tomcat		<9.0.118
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

References

26 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://tomcat.apache.org/tomcat-9.0-doc/changelo…	external
https://tomcat.apache.org/tomcat-10.1-doc/changel…	external
https://tomcat.apache.org/tomcat-11.0-doc/changel…	external
https://seclists.org/oss-sec/2026/q2/499	external
https://seclists.org/oss-sec/2026/q2/500	external
https://seclists.org/oss-sec/2026/q2/501	external
https://seclists.org/oss-sec/2026/q2/495	external
https://seclists.org/oss-sec/2026/q2/496	external
https://seclists.org/oss-sec/2026/q2/497	external
https://seclists.org/oss-sec/2026/q2/498	external
https://access.redhat.com/errata/RHSA-2026:13745	external
https://access.redhat.com/errata/RHSA-2026:16528	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.opensuse.org/archives/list/security…	external
https://alas.aws.amazon.com/AL2/ALAS2TOMCAT9-2026…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://security-tracker.debian.org/tracker/DSA-6329-1	external
https://security-tracker.debian.org/tracker/DSA-6328-1	external
https://ubuntu.com/security/notices/USN-8417-1	external
https://access.redhat.com/errata/RHSA-2026:25123	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Tomcat ist ein Web-Applikationsserver f\u00fcr verschiedene Plattformen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, Daten zu manipulieren, einen Denial-of-Service-Zustand herbeizuf\u00fchren oder andere, nicht spezifizierte bezeichnete Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1514 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1514.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1514 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1514"
      },
      {
        "category": "external",
        "summary": "Tomcat 9.0.118 Changelog vom 2026-05-12",
        "url": "https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.118_%28remm%29"
      },
      {
        "category": "external",
        "summary": "Tomcat 10.1.55 Changelog vom 2026-05-12",
        "url": "https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.55_%28schultz%29"
      },
      {
        "category": "external",
        "summary": "Tomcat 11.0.22 Changelog vom 2026-05-12",
        "url": "https://tomcat.apache.org/tomcat-11.0-doc/changelog.html#Tomcat_11.0.22_%28markt%29"
      },
      {
        "category": "external",
        "summary": "CVE-2026-41284: Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling vom 2026-05-12",
        "url": "https://seclists.org/oss-sec/2026/q2/499"
      },
      {
        "category": "external",
        "summary": "CVE-2026-41293: Apache Tomcat: HTTP/2 request headers not validated vom 2026-05-12",
        "url": "https://seclists.org/oss-sec/2026/q2/500"
      },
      {
        "category": "external",
        "summary": "CVE-2026-42498: Apache Tomcat: WebSocket authentication header exposure vom 2026-05-12",
        "url": "https://seclists.org/oss-sec/2026/q2/501"
      },
      {
        "category": "external",
        "summary": "CVE-2026-43512: Apache Tomcat: Digest authenticator will authenticate any unknown user vom 2026-05-12",
        "url": "https://seclists.org/oss-sec/2026/q2/495"
      },
      {
        "category": "external",
        "summary": "CVE-2026-43513: Apache Tomcat: LockOutRealm treats user names as case-sensitive vom 2026-05-12",
        "url": "https://seclists.org/oss-sec/2026/q2/496"
      },
      {
        "category": "external",
        "summary": "CVE-2026-43514: Apache Tomcat: AJP secret compared in non-constant time vom 2026-05-12",
        "url": "https://seclists.org/oss-sec/2026/q2/497"
      },
      {
        "category": "external",
        "summary": "CVE-2026-43515: Apache Tomcat: Security constraints not correctly applied vom 2026-05-12",
        "url": "https://seclists.org/oss-sec/2026/q2/498"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13745 vom 2026-05-28",
        "url": "https://access.redhat.com/errata/RHSA-2026:13745"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16528 vom 2026-05-28",
        "url": "https://access.redhat.com/errata/RHSA-2026:16528"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10926-1 vom 2026-06-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EAWPQZS5U2ZRRCJCB7SUATFWSLFSQJ45/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10927-1 vom 2026-06-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/I5CAG66XW37HZ5G7VC4CN4HMJYOCCYA6/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4619 vom 2026-06-07",
        "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00008.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10925-1 vom 2026-06-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CVVBYAOA37ASFUT7AGSXLIKJLFQDFQ6F/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2TOMCAT9-2026-026 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2TOMCAT9-2026-026.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2299-1 vom 2026-06-08",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026605.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6329 vom 2026-06-08",
        "url": "https://security-tracker.debian.org/tracker/DSA-6329-1"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6328 vom 2026-06-08",
        "url": "https://security-tracker.debian.org/tracker/DSA-6328-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8417-1 vom 2026-06-10",
        "url": "https://ubuntu.com/security/notices/USN-8417-1"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:25123 vom 2026-06-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:25123"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2374-1 vom 2026-06-11",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026709.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2377-1 vom 2026-06-11",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026706.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Tomcat: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-11T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-12T07:38:03.471+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1514",
      "initial_release_date": "2026-05-12T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: GHSA-5M62-PW8W-7W9F"
        },
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-07T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von openSUSE und Debian aufgenommen"
        },
        {
          "date": "2026-06-08T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Amazon, SUSE und Debian aufgenommen"
        },
        {
          "date": "2026-06-09T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-06-10T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-11T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "8"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.0.118",
                "product": {
                  "name": "Apache Tomcat \u003c9.0.118",
                  "product_id": "T053965"
                }
              },
              {
                "category": "product_version",
                "name": "9.0.118",
                "product": {
                  "name": "Apache Tomcat 9.0.118",
                  "product_id": "T053965-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:9.0.118"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.1.55",
                "product": {
                  "name": "Apache Tomcat \u003c10.1.55",
                  "product_id": "T053967"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.55",
                "product": {
                  "name": "Apache Tomcat 10.1.55",
                  "product_id": "T053967-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:10.1.55"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.22",
                "product": {
                  "name": "Apache Tomcat \u003c11.0.22",
                  "product_id": "T053968"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.22",
                "product": {
                  "name": "Apache Tomcat 11.0.22",
                  "product_id": "T053968-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:11.0.22"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tomcat"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41284",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053967",
          "T053968",
          "T027843",
          "T053965",
          "398363"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-41284"
    },
    {
      "cve": "CVE-2026-41293",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053967",
          "T053968",
          "T027843",
          "T053965",
          "398363"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-41293"
    },
    {
      "cve": "CVE-2026-42498",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053967",
          "T053968",
          "T027843",
          "T053965",
          "398363"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-42498"
    },
    {
      "cve": "CVE-2026-43512",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053967",
          "T053968",
          "T027843",
          "T053965",
          "398363"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-43512"
    },
    {
      "cve": "CVE-2026-43513",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053967",
          "T053968",
          "T027843",
          "T053965",
          "398363"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-43513"
    },
    {
      "cve": "CVE-2026-43514",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053967",
          "T053968",
          "T027843",
          "T053965",
          "398363"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-43514"
    },
    {
      "cve": "CVE-2026-43515",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053967",
          "T053968",
          "T027843",
          "T053965",
          "398363"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-43515"
    }
  ]
}

CVE-2026-41284 (GCVE-0-2026-41284)

Vulnerability from cvelistv5 – Published: 2026-05-12 15:14 – Updated: 2026-05-13 15:57

Title

Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Summary

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/2nvqjr7ovjmvx2vbh…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.21 (semver) Affected: 10.1.0-M1 , ≤ 10.1.54 (semver) Affected: 9.0.0.M1 , ≤ 9.0.117 (semver) Affected: 10.0.0-M1 , ≤ 10.0.27 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Affected: 4.0 , ≤ 7.0.109 (semver)

Credits

Dariusz Gońda

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-12T17:40:56.383Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/12/12"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-41284",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:57:41.987314Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T15:57:45.607Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.21",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.54",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.117",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "affected",
              "version": "10.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dariusz Go\u0144da"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.\u003cbr\u003eOlder, unsupported versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.\nOlder, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T15:14:45.278Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qc"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-41284",
    "datePublished": "2026-05-12T15:14:45.278Z",
    "dateReserved": "2026-04-20T07:27:43.961Z",
    "dateUpdated": "2026-05-13T15:57:45.607Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41293 (GCVE-0-2026-41293)

Vulnerability from cvelistv5 – Published: 2026-05-12 15:19 – Updated: 2026-05-14 19:54

Title

Apache Tomcat: HTTP/2 request headers not validated

Summary

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/qwg0q16z7xkb2qrr8…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.21 (semver) Affected: 10.1.0-M1 , ≤ 10.1.54 (semver) Affected: 9.0.0.M1 , ≤ 9.0.117 (semver) Affected: 10.0.0-M1 , ≤ 10.0.27 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver)

Credits

Dawit Jeong (@dawitngoliath)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-12T17:40:57.407Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/12/13"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-41293",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T16:40:13.006509Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:54:07.534Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.21",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.54",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.117",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "affected",
              "version": "10.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dawit Jeong (@dawitngoliath)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.\u003cbr\u003eOlder, end of support versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.\nOlder, end of support versions may also be affected.\n\nUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T15:19:35.179Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: HTTP/2 request headers not validated",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-41293",
    "datePublished": "2026-05-12T15:19:35.179Z",
    "dateReserved": "2026-04-20T10:26:28.623Z",
    "dateUpdated": "2026-05-14T19:54:07.534Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42498 (GCVE-0-2026-42498)

Vulnerability from cvelistv5 – Published: 2026-05-12 15:17 – Updated: 2026-05-13 15:59

Title

Apache Tomcat: WebSocket authentication header exposure

Summary

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of HTTP Authentication Header to unexpected hosts

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/n61zwf75jrv09rz90…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.21 (semver) Affected: 10.1.0-M1 , ≤ 10.1.54 (semver) Affected: 9.0.2 , ≤ 9.0.117 (semver) Affected: 8.5.24 , ≤ 8.5.100 (semver) Affected: 7.0.83 , ≤ 7.0.109 (semver)

Credits

lokerxx

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-12T17:40:58.470Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/12/14"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42498",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:58:45.406125Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T15:59:04.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.21",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.54",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.117",
              "status": "affected",
              "version": "9.0.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.83",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "lokerxx"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eExposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of HTTP Authentication Header to unexpected hosts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T15:17:56.531Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: WebSocket authentication header exposure",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-42498",
    "datePublished": "2026-05-12T15:17:56.531Z",
    "dateReserved": "2026-04-27T22:13:05.647Z",
    "dateUpdated": "2026-05-13T15:59:04.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43512 (GCVE-0-2026-43512)

Vulnerability from cvelistv5 – Published: 2026-05-12 15:24 – Updated: 2026-05-14 19:53

Title

Apache Tomcat: Digest authenticator will authenticate any unknown user

Summary

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-592 - DEPRECATED: Authentication Bypass Issues

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/7x09x7o12solvclsl…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/05/12/8

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.21 (semver) Affected: 10.1.0-M1 , ≤ 10.1.54 (semver) Affected: 9.0.0.M1 , ≤ 9.0.117 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Affected: 7.0.0 , ≤ 7.0.109 (semver) Unknown: 0 , < 7.0.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-12T17:40:59.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/12/8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-43512",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T16:38:42.418842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:53:34.555Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.21",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.54",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.117",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.0.0",
              "status": "unknown",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.\u003cbr\u003eOlder unsupported versions any also be affect\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.\nOlder unsupported versions any also be affect\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-592",
              "description": "CWE-592 DEPRECATED: Authentication Bypass Issues",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T15:24:02.424Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/7x09x7o12solvclslw3sz0288xc8wx73"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Digest authenticator will authenticate any unknown user",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-43512",
    "datePublished": "2026-05-12T15:24:02.424Z",
    "dateReserved": "2026-05-01T16:19:22.016Z",
    "dateUpdated": "2026-05-14T19:53:34.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43513 (GCVE-0-2026-43513)

Vulnerability from cvelistv5 – Published: 2026-05-12 15:26 – Updated: 2026-05-14 19:53

Title

Apache Tomcat: LockOutRealm treats user names as case-sensitive

Summary

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-178 - Improper Handling of Case Sensitivity

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/ytjcgldshj73lcnd1…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/05/12/9

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.21 (semver) Affected: 10.1.0-M1 , ≤ 10.1.54 (semver) Affected: 9.0.0.M1 , ≤ 9.0.117 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Affected: 7.0.0 , ≤ 7.0.109 (semver) Unknown: 0 , < 7.00 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-12T17:41:00.529Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/12/9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-43513",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T16:34:43.121351Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:53:30.781Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.21",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.54",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.117",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.00",
              "status": "unknown",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\u003cbr\u003eOlder unsupported versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOlder unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T15:26:25.599Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/ytjcgldshj73lcnd1sh95od5hrghwogp"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: LockOutRealm treats user names as case-sensitive",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-43513",
    "datePublished": "2026-05-12T15:26:25.599Z",
    "dateReserved": "2026-05-01T16:21:04.703Z",
    "dateUpdated": "2026-05-14T19:53:30.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43514 (GCVE-0-2026-43514)

Vulnerability from cvelistv5 – Published: 2026-05-12 15:32 – Updated: 2026-05-13 17:22

Title

Apache Tomcat: AJP secret compared in non-constant time

Summary

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Severity

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/2k654v5cq123npfsd…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.21 (semver) Affected: 10.1.0-M1 , ≤ 10.1.54 (semver) Affected: 9.0.0.M1 , ≤ 9.0.117 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Affected: 7.0.0 , ≤ 7.0.109 (semver) Unknown: 0 , < 7.00 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-12T17:41:01.502Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/12/10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 3.7,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-43514",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T17:22:38.680265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T17:22:42.246Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.21",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.54",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.117",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.00",
              "status": "unknown",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eObservable Timing Discrepancy \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evulnerability\u0026nbsp;\u003c/span\u003ewhen comparing AJP secret in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\u003cbr\u003eOlder unsupported versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Observable Timing Discrepancy vulnerability\u00a0when comparing AJP secret in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOlder unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T15:32:09.858Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: AJP secret compared in non-constant time",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-43514",
    "datePublished": "2026-05-12T15:32:09.858Z",
    "dateReserved": "2026-05-01T16:22:01.182Z",
    "dateUpdated": "2026-05-13T17:22:42.246Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43515 (GCVE-0-2026-43515)

Vulnerability from cvelistv5 – Published: 2026-05-12 15:33 – Updated: 2026-06-04 09:57

Title

Apache Tomcat: Security constraints not correctly applied

Summary

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-285 - Improper Authorization

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/746nxfxod0wsocxtm…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.21 (semver) Affected: 10.1.0-M1 , ≤ 10.1.54 (semver) Affected: 9.0.0.M1 , ≤ 9.0.117 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Affected: 7.0.0 , ≤ 7.0.109 (semver) Unknown: 0 , < 7.0.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-12T17:41:02.585Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/12/11"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-43515",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T16:33:57.706160Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:53:24.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.21",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.54",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.117",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.0.0",
              "status": "unknown",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285 Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T09:57:54.826Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Security constraints not correctly applied",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-43515",
    "datePublished": "2026-05-12T15:33:23.311Z",
    "dateReserved": "2026-05-01T16:24:01.021Z",
    "dateUpdated": "2026-06-04T09:57:54.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1514

CVE-2026-41284 (GCVE-0-2026-41284)

CVE-2026-41293 (GCVE-0-2026-41293)

CVE-2026-42498 (GCVE-0-2026-42498)

CVE-2026-43512 (GCVE-0-2026-43512)

CVE-2026-43513 (GCVE-0-2026-43513)

CVE-2026-43514 (GCVE-0-2026-43514)

CVE-2026-43515 (GCVE-0-2026-43515)

Tags

Sightings

Nomenclature