CRITICAL🇵🇱 Wersja polska

CVE-2026-41293

CVSS 9.8pub. 2026-05-12upd. 2026-05-15

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability results from the lack of proper verification of user-supplied input data to the Apache Tomcat server. An attacker can send an appropriately crafted network request without the need for authentication or user interaction. The attack vector is network-based, and attack complexity is low, making the vulnerability exceptionally easy to exploit.

Impact

Successful exploitation of this vulnerability may result in complete loss of confidentiality, integrity, and availability of the system — an attacker can gain unauthorized access to data, modify server content, or cause its unavailability.

Mitigation & patch

Apply patches available from the vendor according to the references (the target fixed version was not explicitly indicated in the description — it is recommended to verify the Apache mailing list and official vendor references). In the meantime, it is worth considering restricting network access to the Tomcat server using a firewall.

Who is affected

Apache Tomcat in versions: from 11.0.0-M1 to 11.0.21, from 10.1.0-M1 to 10.1.54, from 9.0.0.M1 to 9.0.117, from 10.0.0-M1 to 10.0.27. Older, unsupported versions may also be vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Tomcat

    APP
    Apache
    8.5.0 – 8.5.1009.0.0 – 9.0.118 (bez)10.0.0 – 10.0.2710.1.0 – 10.1.55 (bez)11.0.0 – 11.0.22 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych

CVE-2020-1938CRITICAL9.8⚠ KEVten sam produkt

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache To...

CVE-2016-8735CRITICAL9.8⚠ KEVten sam produkt

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5....

CVE-2026-53434CRITICAL9.1ten sam produkt

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM bas...

CVE-2026-55276CRITICAL9.1ten sam produkt

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty...