The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities :

 - A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. (CVE-2025-55668)

 - When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. (CVE-2025-49125)

 - During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability. (CVE-2025-49124)

 - Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. (CVE-2025-48988)

 - Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. (CVE-2025-48976)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-986107 advisory.

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.
    Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.106-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2025-020 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-55668)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Tomcat installed on the remote host is prior to 10.1.42. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.42_security-10 advisory.

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The     following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through     8.5.100 and 7.0.95 through 7.0.109. Users are recommended to upgrade to version 11.0.8, 10.1.42 or     9.0.106, which fix the issue. (CVE-2025-49124)

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be     affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to     upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49125)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected:
    8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to     version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-48988)

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.8_security-11 advisory.

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The     following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through     8.5.100 and 7.0.95 through 7.0.109. Users are recommended to upgrade to version 11.0.8, 10.1.42 or     9.0.106, which fix the issue. (CVE-2025-49124)

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be     affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to     upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49125)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected:
    8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to     version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-48988)

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6120 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6120-1                   security@debian.org     https://www.debian.org/security/                          Markus Koschany     February 05, 2026                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : tomcat10     CVE ID         : CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989                      CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668                      CVE-2025-55752 CVE-2025-55754 CVE-2025-61795 CVE-2025-31650                      CVE-2025-31651     Debian Bug     : 1106820 1108119 1108117 1111097 1108115 1109112 1109114 1111099 1119294


    Several security vulnerabilities have been found in Tomcat 10, a Java web     server and servlet engine. This update improves the handling of HTTP/2     connections and corrects various flaws which can lead to uncontrolled resource     consumption and a denial of service.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 10.1.52-1~deb12u1.

    For the stable distribution (trixie), these problems have been fixed in     version 10.1.52-1~deb13u1.

    We recommend that you upgrade your tomcat10 packages.

    For the detailed security status of tomcat10 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat10

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1093 advisory.

    For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat     could lead to a DoS via bypassing of size limits.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-52520)

    Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge     the initial settings frame that reduces the maximum permitted concurrent streams.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-53506)

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-55668)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.106. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.106_security-9 advisory.

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The     following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through     8.5.100 and 7.0.95 through 7.0.109. Users are recommended to upgrade to version 11.0.8, 10.1.42 or     9.0.106, which fix the issue. (CVE-2025-49124)

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be     affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to     upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49125)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected:
    8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to     version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-48988)

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1065 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-55668)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6121 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6121-1                   security@debian.org     https://www.debian.org/security/                          Markus Koschany     February 05, 2026                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : tomcat11     CVE ID         : CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989                      CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668                      CVE-2025-55752 CVE-2025-55754 CVE-2025-61795     Debian Bug     : 1106821 1108118 1108116 1111096 1108114 1109111 1109113 1111098


    Several security vulnerabilities have been found in Tomcat 11, a Java web     server and servlet engine. This update improves the handling of HTTP/2     connections and corrects various flaws which can lead to uncontrolled resource     consumption and a denial of service.

    For the stable distribution (trixie), these problems have been fixed in     version 11.0.15-1~deb13u1.

    We recommend that you upgrade your tomcat11 packages.

    For the detailed security status of tomcat11 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat11

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
114888	Apache Tomcat 9.0.0-M1 < 9.0.106 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	6/20/2025	6/20/2025	high
114886	Apache Tomcat 11.0.0-M1 < 11.0.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	6/20/2025	6/20/2025	high
114887	Apache Tomcat 10.1.0-M1 < 10.1.42 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	6/20/2025	6/20/2025	high
268953	Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: tomcat (UTSA-2025-986107)	Nessus	Unity Linux Local Security Checks	10/7/2025	10/10/2025	medium
241736	Amazon Linux 2 : tomcat, --advisory ALAS2TOMCAT9-2025-020 (ALASTOMCAT9-2025-020)	Nessus	Amazon Linux Local Security Checks	7/10/2025	10/30/2025	high
260004	Linux Distros Unpatched Vulnerability : CVE-2025-55668	Nessus	Misc.	8/31/2025	4/29/2026	medium
240058	Apache Tomcat 10.1.0.M1 < 10.1.42 multiple vulnerabilities	Nessus	Web Servers	6/16/2025	1/21/2026	high
240059	Apache Tomcat 11.0.0.M1 < 11.0.8 multiple vulnerabilities	Nessus	Web Servers	6/16/2025	1/21/2026	high
298164	Debian dsa-6120 : libtomcat10-embed-java - security update	Nessus	Debian Local Security Checks	2/5/2026	3/3/2026	high
243501	Amazon Linux 2023 : tomcat10, tomcat10-admin-webapps, tomcat10-el-5.0-api (ALAS2023-2025-1093)	Nessus	Amazon Linux Local Security Checks	8/4/2025	1/21/2026	high
240060	Apache Tomcat 9.0.0.M1 < 9.0.106 multiple vulnerabilities	Nessus	Web Servers	6/16/2025	1/21/2026	high
241733	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2025-1065)	Nessus	Amazon Linux Local Security Checks	7/10/2025	10/30/2025	high
298161	Debian dsa-6121 : libtomcat11-embed-java - security update	Nessus	Debian Local Security Checks	2/5/2026	3/3/2026	high

Detections

Analytics

Plugins Search

high

high

high

medium

high

medium

high

high

high

high

high

high

high