CVEFinder.io

CVE-2026-41293

β›” critical
πŸ” Scan for this CVE
Summary

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

CVSS Score
9.8
Critical
EPSS Score
0.2
Exploit Probability
Published Date
2026-05-12
First Seen: 2026-05-17
πŸ“Š Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 328,009 vulnerabilities in our database.

#31,168
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 14, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
YES
Can be exploited automatically
πŸ’₯ Technical Impact
Total
Complete system compromise possible
πŸ† Discovered By
Dawit Jeong (@dawitngoliath)
SSVC data provided by CISA
Last Modified 2026-05-15
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-20

πŸ“¦ Affected Products 5

Vendor Product Status Affected Versions
apache tomcat Affected
> 10.0.0 < 10.0.27
apache tomcat Affected
> 10.1.0 < 10.1.55
apache tomcat Affected
> 11.0.0 < 11.0.22
apache tomcat Affected
> 8.5.0 < 8.5.100
apache tomcat Affected
> 9.0.0 < 9.0.118

πŸ”— References 2

https://lists.apache.org/thread/qwg0q16z7xkb2qrr853w...
Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/1...
Mailing List Third Party Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-41284 ⚠️ high 7.5 0.1 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: ... 2026-05-12
CVE-2026-42498 ⚠️ high 7.3 0.1 Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomca... 2026-05-12
CVE-2026-43512 β›” critical 9.8 0.1 DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap... 2026-05-12
CVE-2026-43513 ⚠️ high 7.5 0.1 Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat:... 2026-05-12
CVE-2026-43514 ℹ️ low 3.7 0.1 Observable Timing Discrepancy vulnerabilityΒ when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomc... 2026-05-12
CVE-2026-43515 β›” critical 9.1 0.1 Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Ap... 2026-05-12
These CVEs affect the same products