✅ Check your installed version
All known vulnerabilities
CRITICAL9.8CVE-2025-24813⚠ KEVApache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT >= 11.0.0-M1, < 11.0.3
CRITICAL9.8CVE-2016-8735⚠ KEVApache Tomcat Improper Access Control vulnerability from 0, < 6.0.48
>= 9.0.0.M1, < 9.0.1
CRITICAL9.8CVE-2026-43512Apache Tomcat - Digest authenticator will authenticate any unknown user from 0, < 9.0.118
CRITICAL9.8CVE-2026-41293Apache Tomcat - HTTP/2 request headers not validated from 0, < 9.0.118
CRITICAL9.8CVE-2025-31651Apache Tomcat: Bypass of rules in Rewrite Valve >= 9.0.76, < 9.0.104
CRITICAL9.8CVE-2024-56337Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete >= 11.0.0-M1, < 11.0.2
CRITICAL9.8CVE-2024-50379Apache Tomcat: RCE due to TOCTOU issue in JSP compilation >= 11.0.0-M1, < 11.0.2
CRITICAL9.8CVE-2024-52316Apache Tomcat: Authentication bypass when using Jakarta Authentication API from 0, < 9.0.96
CRITICAL9.6CVE-2025-55754Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences >= 11.0.0-M1, < 11.0.11
CRITICAL9.1CVE-2026-43515Apache Tomcat - Security constraints not correctly applied from 0, < 9.0.118
CRITICAL9.1CVE-2025-66614Apache Tomcat: Client certificate verification bypass due to virtual host mapping >= 11.0.0-M1, < 11.0.15
CRITICAL9.1CVE-2017-5648Exposure of Resource to Wrong Sphere in Apache Tomcat >= 9.0.0.M1, < 9.0.0.M18
HIGH8.4CVE-2025-49124Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows >= 11.0.0-M1, < 11.0.8
>= 7.0.0, < 7.0.72
HIGH7.5CVE-2026-41284Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling from 0, < 9.0.118
HIGH7.5CVE-2026-43513Apache Tomcat: LockOutRealm treats user names as case-sensitive from 0, < 9.0.118
HIGH7.5CVE-2026-34483Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve >= 9.0.40, < 9.0.116
HIGH7.5CVE-2026-34487Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token >= 9.0.13, < 9.0.117
HIGH7.5CVE-2025-55752Apache Tomcat Vulnerable to Relative Path Traversal >= 11.0.0-M1, < 11.0.11
HIGH7.5CVE-2025-52520Apache Tomcat: DoS via integer overflow in multipart file upload >= 11.0.0-M1, < 11.0.9
HIGH7.5CVE-2025-48988Apache Tomcat: FileUpload large number of parts with headers DoS >= 11.0.0-M1, < 11.0.8
HIGH7.5CVE-2025-49125Apache Tomcat: Security constraint bypass for pre/post-resources >= 11.0.0-M1, < 11.0.8
HIGH7.5CVE-2023-46589Apache Tomcat: HTTP request smuggling via malformed trailer headers >= 11.0.0-M1, < 11.0.0-M11
>= 10.1.0, < 10.1.2
>= 7.0.0, < 7.0.81
HIGH7.3CVE-2026-42498Apache Tomcat - WebSocket authentication header exposure from 0, < 9.0.118
HIGH7.3CVE-2025-46701Apache Tomcat: Security constraint bypass for CGI scripts >= 9.0.0.M1, < 9.0.105
HIGH7.0CVE-2020-9484Potential remote code execution in Apache Tomcat >= 10.0.0-M1, < 10.0.0-M5
MEDIUM6.5CVE-2025-55668Apache Tomcat: session fixation via rewrite valve >= 11.0.0-M1, < 11.0.8
MEDIUM6.1CVE-2026-25854Apache Tomcat has an Open Redirect vulnerability >= 8.5.30, < 9.0.116
MEDIUM5.3CVE-2025-61795Apache Tomcat Vulnerable to Improper Resource Shutdown or Release >= 11.0.0-M1, < 11.0.12
MEDIUM5.3CVE-2024-54677Apache Tomcat Uncontrolled Resource Consumption vulnerability >= 8.5.0, <= 8.5.100
MEDIUM4.3CVE-2023-28708Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations >= 11.0.0-M1, < 11.0.0-M3
LOW3.7CVE-2026-43514Apache Tomcat - AJP secret compared in non-constant time from 0, < 9.0.118
LOW3.7CVE-2026-24733Apache Tomcat: Security constraint bypass with HTTP/0.9 >= 11.0.0-M1, < 11.0.15
>= 5.5.0, < 5.5.36
from 0, < 6.0.40
from 0, < 6.0.40