Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

The remote Ubuntu 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8450-1 advisory.

    It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies.
    A remote attacker could possibly use this issue to cause Tomcat to consume excessive memory, resulting in     a denial of service. (CVE-2026-41284)

    It was discovered that Tomcat incorrectly validated HTTP/2 header fields. A remote attacker could use this     issue to cause Tomcat to crash or possibly execute arbitrary code. (CVE-2026-41293)

    It was discovered that Tomcat did not properly clear HTTP authentication headers during WebSocket     connection upgrades and redirects. A remote attacker could possibly use this issue to obtain sensitive     credentials. (CVE-2026-42498)

    It was discovered that Tomcat incorrectly handled authorization when multiple method constraints defined     the same HTTP method. A remote attacker could possibly use this issue to bypass authorization     restrictions. (CVE-2026-43515)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2377-1 advisory.

    This update for tomcat10 fixes the following issues

    Update to Tomcat 10.1.55:

    - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162).
    - CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
    - CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
    - CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145).
    - CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166).
    - CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
    - CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).

    Changes:

     * Catalina      + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and      OpenSSL version information (both APR and FFM implementations), along with      version compatibility warnings and third-party library version      information. (csutherl)      + Code: Refactor generation of the remote user element in the access log to      remove unnecessary code. (markt)      + Fix: Fix a regression in the previous release that meant ?- could appear      in the access log rather than ? when the query string was present but      empty. (markt)      + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by      Mahmoud Alarby. (remm)      + Fix: Align the escaping in ExtendedAccessLogValve with the other      AccessLogValve implementations. (markt)      + Fix: 70000: fix duplication of special headers in the response after      commit, following fix for 69967. (remm)      + Fix: Correct the handling of URIs mapped to a security constraint that      only specifies the special ** role for all authenticated users. Requests      without authentication were receiving 403 responses rather than 401      responses. (markt)      + Fix: Fix a race condition in StandardContext.getServletContext() that      could cause the jakarta.servlet.context.tempdir attribute to be lost      during a context reload. Make the context field volatile and use locking      to ensure only one ApplicationContext instance is created. (dsoumis)      + Fix: Update the Windows authentication (kerberos) documentation to reflect      that both Java and Windows are removing / have removed support for      RC4-HMAC. The guide now uses AES256-SHA1. (markt)      + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize      which limits the size of a WebDAV request body for LOCK and PROPFIND. The      default value is 4096 bytes. (markt)      + Add: Add a new caseSensitive attribute to the LockOutRealm that controls      the manner in which user names are treated when making locking decisions.
     The default is false, meaning user names are treated in a case insensitive      manner. (markt)      + Fix: Correct the handling of invalid users with DIGEST authentication.
     (markt)      + Fix: Ensure RealmBase finds all matching extension based security      constraints. (markt)
     * Coyote      + Fix: Avoid various edge cases if Content-Length is set via      setHeader(String,String) or addHeader(String,String) with an invalid value      by always clearing the previous value whether the new value is valid or      not and ignoring any invalid new value. (markt)      + Code: Refactor the calculation of the real index in the HPACK dynamic      header table implementation to reduce code duplication. (markt)      + Fix: Fix various minor issues with some HTTP/2 stream error messages for      HTTP/2. (markt)      + Fix: Consistently reject URIs containing NULL bytes when normalizing.
     + Fix: Fix a few minor memory leaks on error paths reading TLS keys and      certificates when using FFM. (markt)      + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC      after a stream reset. (markt)      + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields      not permitted in trailers. (markt)      + Fix: Free private keys after use in FFM based connector configuration.
     + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header      decoding that could result in a valid header triggering an unexpected      connection close. (markt)      + Fix: Refactor HTTP/2 HPACK encoding so header field names are only      converted to lower case once during the encoding process. (markt)      + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend      validation to check for disallowed characters as well as upper case      characters. (markt)      + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm)      + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent      with the use (or not) of TLS. (markt)      + Fix: Correct the validation of pseudo headers and CONNECT requests to      align Tomcat's behaviour with RFC 9113, section 8.5. (markt)      + Fix: Fix a potential integer overflow when allocating capacity from a      connection level window update to individual HTTP/2 streams. Based on #996      by Mike Tingey Jr. (markt)      + Fix: Switch AJP secret comparison to a constant time algorithm. (markt)
     * WebSocket      + Fix: Fix the initial connection to a WebSocket end point where the      connection is made via a proxy that requires DIGEST authentication.
     * Other      + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt)      + Add: Add warning when OpenSSL binary is not found. (csutherl)      + Add: Add check for Tomcat Native library, and log warning when it's not      found to make it easier to see when it's not used by the suite. (csutherl)      + Update: Update Byte Buddy to 1.18.8. (markt)      + Update: Update Bouncy Castle to 1.84. (markt)      + Update: Improvements to French translations. (remm)      + Update: Improvements to Japanese translations provided by tak7iji. (markt)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2374-1 advisory.

    This update for tomcat11 fixes the following issues

    Update to Tomcat 11.0.22:

    - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162).
    - CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
    - CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
    - CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145).
    - CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166).
    - CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
    - CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).

    Changes:

     * Catalina      + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and      OpenSSL version information (both APR and FFM implementations), along with      version compatibility warnings and third-party library version      information. (csutherl)      + Code: Refactor generation of the remote user element in the access log to      remove unnecessary code. (markt)      + Fix: Fix a regression in the previous release that meant ?- could appear      in the access log rather than ? when the query string was present but      empty. (markt)      + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by      Mahmoud Alarby. (remm)      + Fix: Align the escaping in ExtendedAccessLogValve with the other      AccessLogValve implementations. (markt)      + Fix: 70000: fix duplication of special headers in the response after      commit, following fix for 69967. (remm)      + Fix: Correct the handling of URIs mapped to a security constraint that      only specifies the special ** role for all authenticated users. Requests      without authentication were receiving 403 responses rather than 401      responses. (markt)      + Fix: Fix a race condition in StandardContext.getServletContext() that      could cause the jakarta.servlet.context.tempdir attribute to be lost      during a context reload. Make the context field volatile and use locking      to ensure only one ApplicationContext instance is created. (dsoumis)      + Fix: Update the Windows authentication (kerberos) documentation to reflect      that both Java and Windows are removing / have removed support for      RC4-HMAC. The guide now uses AES256-SHA1. (markt)      + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize      which limits the size of a WebDAV request body for LOCK and PROPFIND. The      default value is 4096 bytes. (markt)      + Add: Add a new caseSensitive attribute to the LockOutRealm that controls      the manner in which user names are treated when making locking decisions.
     The default is false, meaning user names are treated in a case insensitive      manner. (markt)      + Fix: Correct the handling of invalid users with DIGEST authentication.
     (markt)      + Fix: Ensure RealmBase finds all matching extension based security      constraints. (markt)
     * Coyote      + Fix: Avoid various edge cases if Content-Length is set via      setHeader(String,String) or addHeader(String,String) with an invalid value      by always clearing the previous value whether the new value is valid or      not and ignoring any invalid new value. (markt)      + Code: Refactor the calculation of the real index in the HPACK dynamic      header table implementation to reduce code duplication. (markt)      + Fix: Fix various minor issues with some HTTP/2 stream error messages for      HTTP/2. (markt)      + Fix: Consistently reject URIs containing NULL bytes when normalizing.
     + Fix: Fix a few minor memory leaks on error paths reading TLS keys and      certificates when using FFM. (markt)      + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC      after a stream reset. (markt)      + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields      not permitted in trailers. (markt)      + Fix: Free private keys after use in FFM based connector configuration.
     + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header      decoding that could result in a valid header triggering an unexpected      connection close. (markt)      + Fix: Refactor HTTP/2 HPACK encoding so header field names are only      converted to lower case once during the encoding process. (markt)      + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend      validation to check for disallowed characters as well as upper case      characters. (markt)      + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm)      + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent      with the use (or not) of TLS. (markt)      + Fix: Correct the validation of pseudo headers and CONNECT requests to      align Tomcat's behaviour with RFC 9113, section 8.5. (markt)      + Fix: Fix a potential integer overflow when allocating capacity from a      connection level window update to individual HTTP/2 streams. Based on #996      by Mike Tingey Jr. (markt)      + Fix: Switch AJP secret comparison to a constant time algorithm. (markt)
     * WebSocket      + Fix: Fix the initial connection to a WebSocket end point where the      connection is made via a proxy that requires DIGEST authentication.
     * Other      + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt)      + Add: Add warning when OpenSSL binary is not found. (csutherl)      + Add: Add check for Tomcat Native library, and log warning when it's not      found to make it easier to see when it's not used by the suite. (csutherl)      + Update: Update Byte Buddy to 1.18.8. (markt)      + Update: Update Bouncy Castle to 1.84. (markt)      + Update: Improvements to French translations. (remm)      + Update: Improvements to Japanese translations provided by tak7iji. (markt)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2299-1 advisory.

    This update for tomcat fixes the following issues

    Update to Tomcat 9.0.118:

    - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162).
    - CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
    - CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
    - CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145).
    - CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166).
    - CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
    - CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).

    Changes:

     * Catalina      + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and      OpenSSL version information (both APR and FFM implementations), along with      version compatibility warnings and third-party library version      information. (csutherl)      + Code: Refactor generation of the remote user element in the access log to      remove unnecessary code. (markt)      + Fix: Fix a regression in the previous release that meant ?- could appear      in the access log rather than ? when the query string was present but      empty. (markt)      + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by      Mahmoud Alarby. (remm)      + Fix: Align the escaping in ExtendedAccessLogValve with the other      AccessLogValve implementations. (markt)      + Fix: 70000: fix duplication of special headers in the response after      commit, following fix for 69967. (remm)      + Fix: Correct the handling of URIs mapped to a security constraint that      only specifies the special ** role for all authenticated users. Requests      without authentication were receiving 403 responses rather than 401      responses. (markt)      + Fix: Fix a race condition in StandardContext.getServletContext() that      could cause the jakarta.servlet.context.tempdir attribute to be lost      during a context reload. Make the context field volatile and use locking      to ensure only one ApplicationContext instance is created. (dsoumis)      + Fix: Update the Windows authentication (kerberos) documentation to reflect      that both Java and Windows are removing / have removed support for      RC4-HMAC. The guide now uses AES256-SHA1. (markt)      + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize      which limits the size of a WebDAV request body for LOCK and PROPFIND. The      default value is 4096 bytes. (markt)      + Add: Add a new caseSensitive attribute to the LockOutRealm that controls      the manner in which user names are treated when making locking decisions.
     The default is false, meaning user names are treated in a case insensitive      manner. (markt)      + Fix: Correct the handling of invalid users with DIGEST authentication.
     (markt)      + Fix: Ensure RealmBase finds all matching extension based security      constraints. (markt)
     * Coyote      + Fix: Avoid various edge cases if Content-Length is set via      setHeader(String,String) or addHeader(String,String) with an invalid value      by always clearing the previous value whether the new value is valid or      not and ignoring any invalid new value. (markt)      + Code: Refactor the calculation of the real index in the HPACK dynamic      header table implementation to reduce code duplication. (markt)      + Fix: Fix various minor issues with some HTTP/2 stream error messages for      HTTP/2. (markt)      + Fix: Consistently reject URIs containing NULL bytes when normalizing.
     + Fix: Fix a few minor memory leaks on error paths reading TLS keys and      certificates when using FFM. (markt)      + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC      after a stream reset. (markt)      + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields      not permitted in trailers. (markt)      + Fix: Free private keys after use in FFM based connector configuration.
     + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header      decoding that could result in a valid header triggering an unexpected      connection close. (markt)      + Fix: Refactor HTTP/2 HPACK encoding so header field names are only      converted to lower case once during the encoding process. (markt)      + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend      validation to check for disallowed characters as well as upper case      characters. (markt)      + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm)      + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent      with the use (or not) of TLS. (markt)      + Fix: Correct the validation of pseudo headers and CONNECT requests to      align Tomcat's behaviour with RFC 9113, section 8.5. (markt)      + Fix: Fix a potential integer overflow when allocating capacity from a      connection level window update to individual HTTP/2 streams. Based on #996      by Mike Tingey Jr. (markt)      + Fix: Switch AJP secret comparison to a constant time algorithm. (markt)
     * WebSocket      + Fix: Fix the initial connection to a WebSocket end point where the      connection is made via a proxy that requires DIGEST authentication.
     * Other      + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt)      + Add: Add warning when OpenSSL binary is not found. (csutherl)      + Add: Add check for Tomcat Native library, and log warning when it's not      found to make it easier to see when it's not used by the suite. (csutherl)      + Update: Update Byte Buddy to 1.18.8. (markt)      + Update: Update Bouncy Castle to 1.84. (markt)      + Update: Improvements to French translations. (remm)      + Update: Improvements to Japanese translations provided by tak7iji. (markt)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8417-1 advisory.

    It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies.
    A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting in a denial     of service. (CVE-2026-41284)

    It was discovered that Tomcat incorrectly validated HTTP/2 header fields. A remote attacker could use this     issue to cause Tomcat to crash or possibly execute arbitrary code. (CVE-2026-41293)

    It was discovered that Tomcat did not properly clear HTTP authentication headers during WebSocket     connection upgrades and redirects. A remote attacker could use this issue to obtain sensitive credentials.
    (CVE-2026-42498)

    It was discovered that Tomcat incorrectly handled digest authentication. A remote attacker could possibly     use this issue to bypass authentication restrictions. (CVE-2026-43512)

    It was discovered that Tomcat incorrectly handled case sensitivity in LockOutRealm. A remote attacker     could possibly use this issue to bypass account lockout protections and obtain sensitive information.
    (CVE-2026-43513)

    It was discovered that Tomcat incorrectly handled authorization when multiple method constraints defined     the same HTTP method. A remote attacker could possibly use this issue to bypass authorization     restrictions. (CVE-2026-43515)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1770 advisory.

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117.Older, unsupported versions may also be affected.

    Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. (CVE-2026-41284)

    Improper Input Validation vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.Older, end of support versions may also be     affected.

    Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. (CVE-2026-41293)

    Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability     in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
    (CVE-2026-42498)

    DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.Older unsupported versions any     also be affect

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43512)

    Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.Older unsupported     versions may also be affected.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43513)

    Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.Older unsupported     versions may also be affected.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43514)

    Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same     extension in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43515)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.118-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2026-026 advisory.

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117.Older, unsupported versions may also be affected.

    Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. (CVE-2026-41284)

    Improper Input Validation vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.Older, end of support versions may also be     affected.

    Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. (CVE-2026-41293)

    Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability     in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
    (CVE-2026-42498)

    DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.Older unsupported versions any     also be affect

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43512)

    Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.Older unsupported     versions may also be affected.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43513)

    Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.Older unsupported     versions may also be affected.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43514)

    Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same     extension in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43515)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1776 advisory.

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117.Older, unsupported versions may also be affected.

    Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. (CVE-2026-41284)

    Improper Input Validation vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.Older, end of support versions may also be     affected.

    Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. (CVE-2026-41293)

    Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability     in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
    (CVE-2026-42498)

    DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.Older unsupported versions any     also be affect

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43512)

    Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.Older unsupported     versions may also be affected.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43513)

    Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.Older unsupported     versions may also be affected.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43514)

    Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same     extension in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from     9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

    Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43515)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6329 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6329-1                   security@debian.org     https://www.debian.org/security/                          Markus Koschany     June 08, 2026                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : tomcat11     CVE ID         : CVE-2026-24734 CVE-2026-24880 CVE-2026-25854 CVE-2026-29129                      CVE-2026-29145 CVE-2026-29146 CVE-2026-32990 CVE-2026-34483                      CVE-2026-34487 CVE-2026-34500 CVE-2026-41284 CVE-2026-41293                      CVE-2026-42498 CVE-2026-43512 CVE-2026-43513 CVE-2026-43514                      CVE-2026-43515

    Multiple security vulnerabilities have been discovered in Tomcat 11, a Java     based web server, servlet and JSP engine which may result in a denial of     service, authentication bypass or the disclosure of sensitive information.

    Although we are not aware of any problems, new upstream versions may introduce     new options, limits or code changes which may or may not affect your existing     web applications. We recommend to consult the Tomcat 11 documentation for     further information.

    For the stable distribution (trixie), these problems have been fixed in     version 11.0.22-1~deb13u1.

    We recommend that you upgrade your tomcat11 packages.

    For the detailed security status of tomcat11 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat11

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6328 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6328-1                   security@debian.org     https://www.debian.org/security/                          Markus Koschany     June 08, 2026                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : tomcat10     CVE ID         : CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145                      CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487                      CVE-2026-34500 CVE-2026-41284 CVE-2026-41293 CVE-2026-42498                      CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515

    Multiple security vulnerabilities have been discovered in Tomcat 10, a Java     based web server, servlet and JSP engine which may result in a denial of     service, authentication bypass or the disclosure of sensitive information.

    Although we are not aware of any problems, new upstream versions may introduce     new options, limits or code changes which may or may not affect your existing     web applications. We recommend to consult the Tomcat 10 documentation for     further information.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 10.1.55-1~deb12u1.

    For the stable distribution (trixie), these problems have been fixed in     version 10.1.55-1~deb13u1.

    We recommend that you upgrade your tomcat10 packages.

    For the detailed security status of tomcat10 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat10

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4619 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4619-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     June 07, 2026                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : tomcat9     Version        : 9.0.118-0+deb11u1     CVE ID         : CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145                      CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487                      CVE-2026-34500 CVE-2026-41284 CVE-2026-41293 CVE-2026-42498                      CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515

    Multiple security vulnerabilities have been discovered in Tomcat 9, a Java     based web server, servlet and JSP engine which may result in a denial of     service, authentication bypass or the disclosure of sensitive information.

    In order to address certain vulnerabilities and restore the compatibility with     Tomcat 9, an upgrade of the Tomcat native library, libtcnative-1, was required     as well.

    Although we are not aware of any problems, new upstream versions may introduce     new options, limits or code changes which may or may not affect your existing     web applications. We recommend to consult the Tomcat 9 documentation for     further information.

    For Debian 11 bullseye, these problems have been fixed in version     9.0.118-0+deb11u1.

    We recommend that you upgrade your tomcat9 packages.

    For the detailed security status of tomcat9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat9

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.22. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.22_security-11 advisory.

  - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This     issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1     through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be     affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43512)

  - Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same     extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from     10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through     7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43515)

  - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through     9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be     affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43514)

  - Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through     9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be     affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43513)

  - Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability     in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through     10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are     recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue. (CVE-2026-42498)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.118, 10.1.0-M1 prior to 10.1.55 or 11.0.0-M1 prior to 11.0.22. It is, therefore, affected by multiple vulnerabilities :

 - When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. (CVE-2026-43515)

 - The AJP secret was compared in non-constant time allowing an attacker on the local network to mount a timing attack to determine the AJP secret. (CVE-2026-43514)

 - The LockOut Realm treated user names as case sensitive, reducing effectiveness at blocking brute force attacks against a user's password in Realms where the user name was case insensitive. (CVE-2026-43513)

 - When DIGEST authentication was configured, any user not known to the configured Realm would be authenticated if they presented the password 'null'. (CVE-2026-43512)

 - If a WebSocket request was redirected after authentication, Tomcat's WebSocket client would present the most recent authentication header to the redirect target host. (CVE-2026-42498)

 - HTTP/2 request headers were not validated, which may trigger unexpected application behavior if the application assumed header values exposed through the Servlet API would be specification compliant. (CVE-2026-41293)

 - No limit was enforced on the request body for WebDAV LOCK or PROPFIND requests available to unauthenticated users. (CVE-2026-41284)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through     9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version     [FIXED_VERSION], which fixes the issue. (CVE-2026-41284)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Tomcat installed on the remote host is prior to 10.1.55. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.55_security-10 advisory.

  - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This     issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1     through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be     affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43512)

  - Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same     extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from     10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through     7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43515)

  - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through     9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be     affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43514)

  - Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through     9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be     affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43513)

  - Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability     in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through     10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are     recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue. (CVE-2026-42498)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.118. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.118_security-9 advisory.

  - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This     issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1     through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be     affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43512)

  - Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same     extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from     10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through     7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43515)

  - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through     9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be     affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43514)

  - Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through     9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be     affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43513)

  - Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability     in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through     10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are     recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue. (CVE-2026-42498)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
321761	Ubuntu 26.04 LTS : Tomcat vulnerabilities (USN-8450-1)	Nessus	Ubuntu Local Security Checks	critical
321045	SUSE SLES15 Security Update : tomcat10 (SUSE-SU-2026:2377-1)	Nessus	SuSE Local Security Checks	critical
321042	SUSE SLES15 Security Update : tomcat11 (SUSE-SU-2026:2374-1)	Nessus	SuSE Local Security Checks	critical
321012	SUSE SLES12 Security Update : tomcat (SUSE-SU-2026:2299-1)	Nessus	SuSE Local Security Checks	critical
320598	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Tomcat vulnerabilities (USN-8417-1)	Nessus	Ubuntu Local Security Checks	critical
319830	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2026-1770)	Nessus	Amazon Linux Local Security Checks	critical
319807	Amazon Linux 2 : tomcat, --advisory ALAS2TOMCAT9-2026-026 (ALASTOMCAT9-2026-026)	Nessus	Amazon Linux Local Security Checks	critical
319776	Amazon Linux 2023 : tomcat10, tomcat10-admin-webapps, tomcat10-el-5.0-api (ALAS2023-2026-1776)	Nessus	Amazon Linux Local Security Checks	critical
319683	Debian dsa-6329 : libtomcat11-embed-java - security update	Nessus	Debian Local Security Checks	high
319682	Debian dsa-6328 : libtomcat10-embed-java - security update	Nessus	Debian Local Security Checks	high
319611	Debian dla-4619 : libtomcat9-embed-java - security update	Nessus	Debian Local Security Checks	high
316002	Apache Tomcat 11.0.0.M1 < 11.0.22 multiple vulnerabilities	Nessus	Web Servers	critical
115240	Apache Tomcat 9.0.0-M1 < 9.0.118 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
115239	Apache Tomcat 10.1.0-M1 < 10.1.55 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
115238	Apache Tomcat 11.0.0-M1 < 11.0.22 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
314465	Linux Distros Unpatched Vulnerability : CVE-2026-41284	Nessus	Misc.	high
314335	Apache Tomcat 10.1.0.M1 < 10.1.55 multiple vulnerabilities	Nessus	Web Servers	critical
314334	Apache Tomcat 9.0.0.M1 < 9.0.118 multiple vulnerabilities	Nessus	Web Servers	critical

Detections

Analytics

CVE-2026-41284

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

high

high

high

critical

critical

critical

critical

high

critical

critical