Multiple Vulnerabilities in Apache Tomcat Exposed

Multiple Vulnerabilities in Apache Tomcat Exposed

First seen 2 Jul 2026, 18:59 UTC Hkcerttomcat.apache.orgcve.mitre.org 86% similarity 57.1
Share:

Article Content

Browse articles
ThreatCluster

Apache Tomcat has reported multiple vulnerabilities affecting versions 9.x, 10.x, and 11.x, including CVE-2026-55956, CVE-2026-55955, CVE-2026-55276, and CVE-2026-53434. These vulnerabilities could allow remote attackers to bypass security restrictions, exploit replay attacks, and generate incomplete web.xml logs. The vulnerabilities were reported between June 8 and June 17, 2026, and made public on June 29, 2026. Users of affected versions are urged to upgrade to the latest releases to mitigate these risks. Apache Tomcat 10.0.x has reached end of life, and users are advised to upgrade to 10.1.x or later for security fixes. The vulnerabilities have been assigned varying severity ratings, with some classified as moderate and others as low. No active exploitation has been reported at this time.

Key Points: • Apache Tomcat 9.x, 10.x, and 11.x have multiple reported vulnerabilities. • Key CVEs include CVE-2026-55956, CVE-2026-55955, CVE-2026-55276, and CVE-2026-53434. • Users are advised to upgrade to the latest Tomcat versions to mitigate risks.

ThreatCluster AI

Timeline

2020-05-19
Public exploit for CVE-2020-9484 released
A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
GitHub
2023-02-20
CVE-2023-24998 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2024-12-17
CVE-2024-50379 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-02-17
CVE-2025-66614 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-04-09
CVE-2026-29146 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-06-08
CVE-2026-53434 reported
Invalid CRL configuration in FFM Connector allowed acceptance of invalid certificates.
Article 1
2026-06-15
CVE-2026-55956 reported
Security constraints for the default servlet were ignored, posing a security risk.
Article 1
2026-06-17
CVE-2026-55955 reported
EncryptInterceptor was not protected against replay attacks, contrary to documentation.
Article 1
2026-06-29
Vulnerabilities made public
The reported vulnerabilities were disclosed to the public, affecting multiple Tomcat versions.
Article 1
2026-07-02
Security bulletin released
HKCERT issued a bulletin on multiple vulnerabilities in Apache Tomcat, urging users to apply fixes.
Hkcert

Community

Browse all →