OPENSUSE-SU-2026:20595-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:20595-1

Vulnerability from csaf_opensuse - Published: 2026-04-21 11:43 - Updated: 2026-04-21 11:43

Summary

Security update for tomcat11

Severity

Important

Notes

Title of the patch: Security update for tomcat11

Description of the patch: This update for tomcat11 fixes the following issues: - Update to Tomcat 11.0.21 - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850). - CVE-2026-25854: Occasionally open redirect (bsc#1261851). - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852). - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853). - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854). - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855). - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856). - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857). - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete. (bsc#1258371)

Patchnames: openSUSE-Leap-16.0-605

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2025-66614

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-24880

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-25854

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-29129

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-29145

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-29146

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32990

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-34483

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-34486

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-34487

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-34500

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://bugzilla.suse.com/1258371	self
	https://bugzilla.suse.com/1261850	self
	https://bugzilla.suse.com/1261851	self
	https://bugzilla.suse.com/1261852	self
	https://bugzilla.suse.com/1261853	self
	https://bugzilla.suse.com/1261854	self
	https://bugzilla.suse.com/1261855	self
	https://bugzilla.suse.com/1261856	self
	https://bugzilla.suse.com/1261857	self
	https://www.suse.com/security/cve/CVE-2025-66614/	self
	https://www.suse.com/security/cve/CVE-2026-24880/	self
	https://www.suse.com/security/cve/CVE-2026-25854/	self
	https://www.suse.com/security/cve/CVE-2026-29129/	self
	https://www.suse.com/security/cve/CVE-2026-29145/	self
	https://www.suse.com/security/cve/CVE-2026-29146/	self
	https://www.suse.com/security/cve/CVE-2026-32990/	self
	https://www.suse.com/security/cve/CVE-2026-34483/	self
	https://www.suse.com/security/cve/CVE-2026-34486/	self
	https://www.suse.com/security/cve/CVE-2026-34487/	self
	https://www.suse.com/security/cve/CVE-2026-34500/	self
	https://www.suse.com/security/cve/CVE-2025-66614	external
	https://bugzilla.suse.com/1258371	external
	https://www.suse.com/security/cve/CVE-2026-24880	external
	https://bugzilla.suse.com/1261850	external
	https://www.suse.com/security/cve/CVE-2026-25854	external
	https://bugzilla.suse.com/1261851	external
	https://www.suse.com/security/cve/CVE-2026-29129	external
	https://bugzilla.suse.com/1261852	external
	https://www.suse.com/security/cve/CVE-2026-29145	external
	https://bugzilla.suse.com/1261853	external
	https://www.suse.com/security/cve/CVE-2026-29146	external
	https://bugzilla.suse.com/1261854	external
	https://www.suse.com/security/cve/CVE-2026-32990	external
	https://bugzilla.suse.com/1258371	external
	https://www.suse.com/security/cve/CVE-2026-34483	external
	https://bugzilla.suse.com/1261855	external
	https://www.suse.com/security/cve/CVE-2026-34486	external
	https://bugzilla.suse.com/1261854	external
	https://www.suse.com/security/cve/CVE-2026-34487	external
	https://bugzilla.suse.com/1261856	external
	https://www.suse.com/security/cve/CVE-2026-34500	external
	https://bugzilla.suse.com/1261857	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for tomcat11",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for tomcat11 fixes the following issues:\n\n- Update to Tomcat 11.0.21\n- CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).\n- CVE-2026-25854: Occasionally open redirect (bsc#1261851).\n- CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).\n- CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).\n- CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).\n- CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).\n- CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856).\n- CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).\n- CVE-2026-32990: The fix for CVE-2025-66614 was incomplete. (bsc#1258371)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-605",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20595-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1258371",
        "url": "https://bugzilla.suse.com/1258371"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261850",
        "url": "https://bugzilla.suse.com/1261850"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261851",
        "url": "https://bugzilla.suse.com/1261851"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261852",
        "url": "https://bugzilla.suse.com/1261852"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261853",
        "url": "https://bugzilla.suse.com/1261853"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261854",
        "url": "https://bugzilla.suse.com/1261854"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261855",
        "url": "https://bugzilla.suse.com/1261855"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261856",
        "url": "https://bugzilla.suse.com/1261856"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1261857",
        "url": "https://bugzilla.suse.com/1261857"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-66614 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-66614/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-24880 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-24880/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-25854 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-25854/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-29129 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-29129/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-29145 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-29145/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-29146 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-29146/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32990 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32990/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34483 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34483/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34486 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34486/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34487 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34487/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34500 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34500/"
      }
    ],
    "title": "Security update for tomcat11",
    "tracking": {
      "current_release_date": "2026-04-21T11:43:18Z",
      "generator": {
        "date": "2026-04-21T11:43:18Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:20595-1",
      "initial_release_date": "2026-04-21T11:43:18Z",
      "revision_history": [
        {
          "date": "2026-04-21T11:43:18Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat11-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-admin-webapps-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-doc-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-doc-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-doc-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-docs-webapp-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-embed-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-embed-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-embed-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-jsvc-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-jsvc-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-jsvc-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-lib-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-lib-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-lib-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-webapps-11.0.21-160000.1.1.noarch",
                "product": {
                  "name": "tomcat11-webapps-11.0.21-160000.1.1.noarch",
                  "product_id": "tomcat11-webapps-11.0.21-160000.1.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-admin-webapps-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-doc-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-doc-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-docs-webapp-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-embed-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-embed-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-jsvc-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-jsvc-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-lib-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-lib-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-webapps-11.0.21-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        },
        "product_reference": "tomcat11-webapps-11.0.21-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-66614",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-66614"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Improper Input Validation vulnerability.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.\nTomcat did not validate that the host name provided via the SNI \nextension was the same as the host name provided in the HTTP host header \nfield. If Tomcat was configured with more than one virtual host and the \nTLS configuration for one of those hosts did not require client \ncertificate authentication but another one did, it was possible for a \nclient to bypass the client certificate authentication by sending \ndifferent host names in the SNI extension and the HTTP host header field.\n\n\n\nThe vulnerability only applies if client certificate authentication is \nonly enforced at the Connector. It does not apply if client certificate \nauthentication is enforced at the web application.\n\n\nUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-66614",
          "url": "https://www.suse.com/security/cve/CVE-2025-66614"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258371 for CVE-2025-66614",
          "url": "https://bugzilla.suse.com/1258371"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-66614"
    },
    {
      "cve": "CVE-2026-24880",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-24880"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-24880",
          "url": "https://www.suse.com/security/cve/CVE-2026-24880"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261850 for CVE-2026-24880",
          "url": "https://bugzilla.suse.com/1261850"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-24880"
    },
    {
      "cve": "CVE-2026-25854",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-25854"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Occasional URL redirection to untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\nOther, unsupported versions may also be affected\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-25854",
          "url": "https://www.suse.com/security/cve/CVE-2026-25854"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261851 for CVE-2026-25854",
          "url": "https://bugzilla.suse.com/1261851"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-25854"
    },
    {
      "cve": "CVE-2026-29129",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-29129"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-29129",
          "url": "https://www.suse.com/security/cve/CVE-2026-29129"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261852 for CVE-2026-29129",
          "url": "https://bugzilla.suse.com/1261852"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-29129"
    },
    {
      "cve": "CVE-2026-29145",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-29145"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-29145",
          "url": "https://www.suse.com/security/cve/CVE-2026-29145"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261853 for CVE-2026-29145",
          "url": "https://bugzilla.suse.com/1261853"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-29145"
    },
    {
      "cve": "CVE-2026-29146",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-29146"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Padding Oracle vulnerability in Apache Tomcat\u0027s EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-29146",
          "url": "https://www.suse.com/security/cve/CVE-2026-29146"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261854 for CVE-2026-29146",
          "url": "https://bugzilla.suse.com/1261854"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-29146"
    },
    {
      "cve": "CVE-2026-32990",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32990"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32990",
          "url": "https://www.suse.com/security/cve/CVE-2026-32990"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258371 for CVE-2026-32990",
          "url": "https://bugzilla.suse.com/1258371"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32990"
    },
    {
      "cve": "CVE-2026-34483",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34483"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34483",
          "url": "https://www.suse.com/security/cve/CVE-2026-34483"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261855 for CVE-2026-34483",
          "url": "https://bugzilla.suse.com/1261855"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-34483"
    },
    {
      "cve": "CVE-2026-34486",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34486"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the  fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34486",
          "url": "https://www.suse.com/security/cve/CVE-2026-34486"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261854 for CVE-2026-34486",
          "url": "https://bugzilla.suse.com/1261854"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-34486"
    },
    {
      "cve": "CVE-2026-34487",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34487"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34487",
          "url": "https://www.suse.com/security/cve/CVE-2026-34487"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261856 for CVE-2026-34487",
          "url": "https://bugzilla.suse.com/1261856"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-34487"
    },
    {
      "cve": "CVE-2026-34500",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34500"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
          "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34500",
          "url": "https://www.suse.com/security/cve/CVE-2026-34500"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261857 for CVE-2026-34500",
          "url": "https://bugzilla.suse.com/1261857"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:tomcat11-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-admin-webapps-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-doc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-docs-webapp-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-el-6_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-embed-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsp-4_0-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-jsvc-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-lib-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-servlet-6_1-api-11.0.21-160000.1.1.noarch",
            "openSUSE Leap 16.0:tomcat11-webapps-11.0.21-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T11:43:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-34500"
    }
  ]
}

CVE-2026-29146 (GCVE-0-2026-29146)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:21 – Updated: 2026-04-10 18:17

Title

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Summary

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Severity ?

No CVSS data available.

CWE

Padding Oracle

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/lzt04z2pb3dc5tk85…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.18 (semver) Affected: 10.0.0-M1 , ≤ 10.1.52 (semver) Affected: 9.0.13 , ≤ 9.0.115 (semver) Affected: 8.5.38 , ≤ 8.5.100 (semver) Affected: 7.0.100 , ≤ 7.0.109 (semver)

Credits

Uri Katz and Avi Lumelsky (Oligo Security)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:51.111Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/24"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29146",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:17:02.531112Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-209",
                "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-642",
                "description": "CWE-642 External Control of Critical State Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:17:59.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.38",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.100",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Uri Katz and Avi Lumelsky (Oligo Security)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePadding Oracle vulnerability in Apache Tomcat\u0027s EncryptInterceptor with default configuration.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Padding Oracle vulnerability in Apache Tomcat\u0027s EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Padding Oracle",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:21:57.289Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-29146",
    "datePublished": "2026-04-09T19:21:57.289Z",
    "dateReserved": "2026-03-04T10:35:55.231Z",
    "dateUpdated": "2026-04-10T18:17:59.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29145 (GCVE-0-2026-29145)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:20 – Updated: 2026-04-10 18:11

Title

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Summary

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Severity ?

No CVSS data available.

CWE

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/yz5fxmhd2j43wgqyk…

vendor-advisory

Impacted products

Vendor

Product

Version

Apache Software Foundation

Affected: 11.0.0-M1 , ≤ 11.0.18 (semver)
Affected: 10.1.0-M7 , ≤ 10.1.52 (semver)
Affected: 9.0.83 , ≤ 9.0.115 (semver)
Unaffected: 0 , ≤ 8.5.100 (semver)

Apache Software Foundation

Apache Tomcat Native

Affected: 1.1.23 , ≤ 1.1.34 (semver)
Affected: 1.2.0 , ≤ 1.2.39 (semver)
Affected: 1.3.0 , ≤ 1.3.6 (semver)
Affected: 2.0.0 , ≤ 2.0.13 (semver)

Credits

gregk4sec (https://github.com/gregk4sec)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:49.788Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/23"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:10:50.492750Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-287",
                "description": "CWE-287 Improper Authentication",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:11:31.014Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.0-M7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat Native",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.1.34",
              "status": "affected",
              "version": "1.1.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "1.2.39",
              "status": "affected",
              "version": "1.2.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "1.3.6",
              "status": "affected",
              "version": "1.3.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.0.13",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "gregk4sec (https://github.com/gregk4sec)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:20:24.601Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-29145",
    "datePublished": "2026-04-09T19:20:24.601Z",
    "dateReserved": "2026-03-04T09:52:45.179Z",
    "dateUpdated": "2026-04-10T18:11:31.014Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34500 (GCVE-0-2026-34500)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:36 – Updated: 2026-04-10 14:22

Title

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

Summary

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

Severity ?

No CVSS data available.

CWE

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/7rcl4zdxryc8hy3ht…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M14 , ≤ 11.0.20 (semver) Affected: 10.1.22 , ≤ 10.1.53 (semver) Affected: 9.0.92 , ≤ 9.0.116 (semver)

Credits

Haruki Oyama (Waseda University)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:55.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34500",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T14:21:50.556349Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-287",
                "description": "CWE-287 Improper Authentication",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T14:22:31.310Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.20",
              "status": "affected",
              "version": "11.0.0-M14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.53",
              "status": "affected",
              "version": "10.1.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.116",
              "status": "affected",
              "version": "9.0.92",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Haruki Oyama (Waseda University)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:36:52.857Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34500",
    "datePublished": "2026-04-09T19:36:52.857Z",
    "dateReserved": "2026-03-30T08:34:56.185Z",
    "dateUpdated": "2026-04-10T14:22:31.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32990 (GCVE-0-2026-32990)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:23 – Updated: 2026-04-10 18:39

Title

Apache Tomcat: Fix for CVE-2025-66614 is incomplete

Summary

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-20 - Improper Input Validation

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/1nl9zqft0ksqlhlkd…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.15 , ≤ 11.0.19 (semver) Affected: 10.1.50 , ≤ 10.1.52 (semver) Affected: 9.0.113 , ≤ 9.0.115 (semver)

Credits

zhengg

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32990",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:38:40.304932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:39:25.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.19",
              "status": "affected",
              "version": "11.0.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.50",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.113",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "zhengg"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:23:49.618Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Fix for CVE-2025-66614 is incomplete",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-32990",
    "datePublished": "2026-04-09T19:23:49.618Z",
    "dateReserved": "2026-03-17T13:55:48.216Z",
    "dateUpdated": "2026-04-10T18:39:25.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29129 (GCVE-0-2026-29129)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:19 – Updated: 2026-04-10 18:06

Title

Apache Tomcat: TLS cipher order is not preserved

Summary

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Severity ?

No CVSS data available.

CWE

Configured cipher preference order not preserved

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.16 , ≤ 11.0.18 (semver) Affected: 10.1.51 , ≤ 10.1.52 (semver) Affected: 9.0.114 , ≤ 9.0.115 (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:48.414Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/22"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29129",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:05:39.544150Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-327",
                "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:06:45.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.114",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eConfigured cipher preference order not preserved vulnerability in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Configured cipher preference order not preserved",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:19:40.645Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: TLS cipher order is not preserved",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-29129",
    "datePublished": "2026-04-09T19:19:40.645Z",
    "dateReserved": "2026-03-04T08:16:56.456Z",
    "dateUpdated": "2026-04-10T18:06:45.771Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34483 (GCVE-0-2026-34483)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:30 – Updated: 2026-04-10 20:17

Title

Apache Tomcat: Incomplete escaping of JSON access logs

Summary

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/j1w7304yonlr8vo1t…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.20 (semver) Affected: 10.1.0-M1 , ≤ 10.1.53 (semver) Affected: 9.0.40 , ≤ 9.0.116 (semver) Affected: 8.5.84 , ≤ 8.5.100 (semver) Unaffected: 0 , ≤ 8.5.83 (semver)

Credits

Bartlomiej Dmitruk, striga.ai

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:53.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/26"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34483",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T20:16:32.864927Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T20:17:38.858Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.20",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.53",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.116",
              "status": "affected",
              "version": "9.0.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.83",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartlomiej Dmitruk, striga.ai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:30:28.874Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Incomplete escaping of JSON access logs",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34483",
    "datePublished": "2026-04-09T19:30:28.874Z",
    "dateReserved": "2026-03-30T07:40:44.705Z",
    "dateUpdated": "2026-04-10T20:17:38.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24880 (GCVE-0-2026-24880)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:12 – Updated: 2026-04-10 18:33

Title

Apache Tomcat: Request smuggling via invalid chunk extension

Summary

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/2c682qnlg2tv4o5kn…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.18 (semver) Affected: 10.1.0-M1 , ≤ 10.1.52 (semver) Affected: 9.0.0.M1 , ≤ 9.0.115 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Affected: 7.0.0 , ≤ 7.0.109 (semver) Unknown: 0 , < 7.0.0 (semver) Unknown: 8.0.0-RC1 , ≤ 8.0.53 (semver)

Credits

Xclow3n

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:44.782Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/20"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-24880",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:33:19.886460Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:33:49.308Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.0.0",
              "status": "unknown",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.0.53",
              "status": "unknown",
              "version": "8.0.0-RC1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Xclow3n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in Apache Tomcat via invalid chunk extension.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\u003cbr\u003eOther, unsupported versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:12:10.730Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Request smuggling via invalid chunk extension",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-24880",
    "datePublished": "2026-04-09T19:12:10.730Z",
    "dateReserved": "2026-01-27T18:06:58.294Z",
    "dateUpdated": "2026-04-10T18:33:49.308Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25854 (GCVE-0-2026-25854)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:13 – Updated: 2026-04-10 18:22

Title

Apache Tomcat: Occasionally open redirect

Summary

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/ghct3b6o74bp2vm7q…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.18 (semver) Affected: 10.1.0-M1 , ≤ 10.1.52 (semver) Affected: 9.0.0.M23 , ≤ 9.0.115 (semver) Affected: 8.5.30 , ≤ 8.5.100 (semver) Unaffected: 0 , ≤ 7.0.109 (semver)

Credits

gregk4sec (https://github.com/gregk4sec)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:47.041Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/21"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25854",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:21:57.176392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:22:34.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.0.M23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "gregk4sec (https://github.com/gregk4sec)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOccasional URL redirection to untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\u003cbr\u003eOther, unsupported versions may also be affected\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Occasional URL redirection to untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\nOther, unsupported versions may also be affected\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:13:13.529Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/ghct3b6o74bp2vm7q875s1zh0dqrz3h0"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Occasionally open redirect",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-25854",
    "datePublished": "2026-04-09T19:13:13.529Z",
    "dateReserved": "2026-02-06T16:25:11.569Z",
    "dateUpdated": "2026-04-10T18:22:34.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66614 (GCVE-0-2025-66614)

Vulnerability from cvelistv5 – Published: 2026-02-17 18:48 – Updated: 2026-03-24 09:46

Title

Apache Tomcat: Client certificate verification bypass due to virtual host mapping

Summary

Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-20 - Improper Input Validation

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/vw6lxtlh2qbqwpb61…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.14 (semver) Affected: 10.1.0-M1 , ≤ 10.1.49 (semver) Affected: 9.0.0-M1 , ≤ 9.0.112 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Unaffected: 0 , < 8.5.0 (semver)

Credits

Sven Hebrok, Willi Hensch, Felix Cramer, Tim Leonhard Storm, Maximilian Radoy, and Juraj Somorovsky from Paderborn University

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-66614",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-21T21:17:26.335968Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T15:19:31.014Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.14",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.49",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.112",
              "status": "affected",
              "version": "9.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sven Hebrok, Willi Hensch, Felix Cramer, Tim Leonhard Storm, Maximilian Radoy, and Juraj Somorovsky from Paderborn University"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Input Validation vulnerability.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.\u003c/p\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.\u003cbr\u003e\u003cp\u003eTomcat did not validate that the host name provided via the SNI \nextension was the same as the host name provided in the HTTP host header \nfield. If Tomcat was configured with more than one virtual host and the \nTLS configuration for one of those hosts did not require client \ncertificate authentication but another one did, it was possible for a \nclient to bypass the client certificate authentication by sending \ndifferent host names in the SNI extension and the HTTP host header field.\n\u003cbr\u003e\n\u003cbr\u003eThe vulnerability only applies if client certificate authentication is \nonly enforced at the Connector. It does not apply if client certificate \nauthentication is enforced at the web application.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.\nTomcat did not validate that the host name provided via the SNI \nextension was the same as the host name provided in the HTTP host header \nfield. If Tomcat was configured with more than one virtual host and the \nTLS configuration for one of those hosts did not require client \ncertificate authentication but another one did, it was possible for a \nclient to bypass the client certificate authentication by sending \ndifferent host names in the SNI extension and the HTTP host header field.\n\n\n\nThe vulnerability only applies if client certificate authentication is \nonly enforced at the Connector. It does not apply if client certificate \nauthentication is enforced at the web application.\n\n\nUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T09:46:33.159Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Client certificate verification bypass due to virtual host mapping",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-66614",
    "datePublished": "2026-02-17T18:48:30.577Z",
    "dateReserved": "2025-12-05T11:54:31.778Z",
    "dateUpdated": "2026-03-24T09:46:33.159Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34487 (GCVE-0-2026-34487)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:36 – Updated: 2026-04-10 17:49

Title

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Summary

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/4xpkwolpkrj8v5xzp…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.20 (semver) Affected: 10.1.0-M1 , ≤ 10.1.53 (semver) Affected: 9.0.13 , ≤ 9.0.116 (semver)

Credits

Bartlomiej Dmitruk, striga.ai

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:54.609Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/28"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34487",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:47:28.920468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:49:44.314Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.20",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.53",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.116",
              "status": "affected",
              "version": "9.0.13",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartlomiej Dmitruk, striga.ai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInsertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:36:12.048Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34487",
    "datePublished": "2026-04-09T19:36:12.048Z",
    "dateReserved": "2026-03-30T08:10:48.531Z",
    "dateUpdated": "2026-04-10T17:49:44.314Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34486 (GCVE-0-2026-34486)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:35 – Updated: 2026-04-10 20:20

Title

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

Summary

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-311 - Missing Encryption of Sensitive Data

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/9510k5p5zdvt9pkkg…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.20 (semver) Affected: 10.1.53 (semver) Affected: 9.0.116 (semver)

Credits

Bartlomiej Dmitruk at striga.ai

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34486",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T20:20:09.561886Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T20:20:56.605Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "11.0.20",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "10.1.53",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "9.0.116",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartlomiej Dmitruk at striga.ai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMissing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u0026nbsp;fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u00a0fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "CWE-311 Missing Encryption of Sensitive Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:35:35.994Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34486",
    "datePublished": "2026-04-09T19:35:35.994Z",
    "dateReserved": "2026-03-30T07:57:49.315Z",
    "dateUpdated": "2026-04-10T20:20:56.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.