Apache tomcat

This hub aggregates every CVE we track for Apache tomcat, a product in the networking infrastructure space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache tomcat.

• CVE-2026-43515Apache Tomcat: Security constraints not correctly applied9.1May 12, 2026
• CVE-2026-43514Apache Tomcat: AJP secret compared in non-constant time3.7May 12, 2026
• CVE-2026-43513Apache Tomcat: LockOutRealm treats user names as case-sensitive7.5May 12, 2026
• CVE-2026-43512Apache Tomcat: Digest authenticator will authenticate any unknown user9.8May 12, 2026
• CVE-2026-41293Apache Tomcat: HTTP/2 request headers not validated9.8May 12, 2026
• CVE-2026-42498Apache Tomcat: WebSocket authentication header exposure7.3May 12, 2026
• CVE-2026-41284Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling7.5May 12, 2026
• CVE-2026-34500Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled6.5Apr 9, 2026
• CVE-2026-34487Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token7.5Apr 9, 2026
• CVE-2026-34486Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor7.5Apr 9, 2026
• CVE-2026-34483Apache Tomcat: Incomplete escaping of JSON access logs7.5Apr 9, 2026
• CVE-2026-32990Apache Tomcat: Fix for CVE-2025-66614 is incomplete5.3Apr 9, 2026
• CVE-2026-29146Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default7.5Apr 9, 2026
• CVE-2026-29145Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled9.1Apr 9, 2026
• CVE-2026-29129Apache Tomcat: TLS cipher order is not preserved7.5Apr 9, 2026