CVE-2026-32990
MEDIUM5.3EPSS 0.21%Apache Tomcat has an Improper Input Validation vulnerability
Published: 4/9/2026Modified: 4/28/2026
Description
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Affected packages (7)
- Bitnami/tomcat>= 9.0.13, < 9.0.116, >= 10.1.50, < 10.1.53, >= 11.0.15, < 11.0.20
- Debian/tomcat10from 0
- Debian/tomcat11from 0
- Debian/tomcat9from 0, < 9.0.70-2
- Maven/org.apache.tomcat.embed:tomcat-embed-core>= 9.0.113, < 9.0.116
- Maven/org.apache.tomcat:tomcat>= 9.0.113, < 9.0.116
- Maven/org.apache.tomcat:tomcat-coyote>= 9.0.113, < 9.0.116
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32990
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-32990
- PATCHhttps://github.com/apache/tomcat
- WEBhttps://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
- WEBhttps://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
- WEBhttps://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
- WEBhttps://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
- WEBhttps://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
- WEBhttps://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
- WEBhttps://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
- WEBhttps://www.herodevs.com/vulnerability-directory/cve-2026-32990