Detections
Analytics
SCA: security update for org.apache.tomcat.embed:tomcat-embed-core, org.apache.tomcat:tomcat, org.apache.tomcat:tomcat-catalina (GHSA-qq5r-98hh-rxc9)
medium Tenable Cloud Security Plugin ID 437863
Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:- Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the
GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests,
the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request
using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through
10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to
upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
(CVE-2026-24733)
Solution
Update the org.apache.tomcat.embed:tomcat-embed-core library and its related packages to version 10.1.50 or later.See Also
Plugin Details
Severity: Medium
ID: 437863
Version: Revision 1.9
Type: Local
Family: SCA Checks
Published: 2/19/2026
Updated: 6/1/2026
Risk Information
VPR
Risk Factor: Low
Score: 1.4
Vendor
Vendor Severity: Low
CVSS v2
Risk Factor: Low
Base Score: 2.6
Temporal Score: 1.9
Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2026-24733
CVSS v3
Risk Factor: Low
Base Score: 3.7
Temporal Score: 3.2
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS v4
Risk Factor: Medium
Base Score: 6.9
Threat Score: 2.7
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: No known exploits are available
Patch Publication Date: 2/17/2026
Vulnerability Publication Date: 12/8/2025
Reference Information
CVE: CVE-2026-24733
cwe: CWE-20