Skip to content

spring-boot-starter-web-3.2.5.jar: 49 vulnerabilities (highest severity is: 9.8) #11

Open
Open
spring-boot-starter-web-3.2.5.jar: 49 vulnerabilities (highest severity is: 9.8)#11
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jul 5, 2024
Vulnerable Library - spring-boot-starter-web-3.2.5.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible**
CVE-2026-43512 Critical 9.8 tomcat-embed-core-10.1.20.jar Transitive 3.5.15
CVE-2026-41293 Critical 9.8 tomcat-embed-core-10.1.20.jar Transitive 3.5.15
CVE-2025-31651 Critical 9.8 tomcat-embed-core-10.1.20.jar Transitive 3.3.11
CVE-2025-24813 Critical 9.8 tomcat-embed-core-10.1.20.jar Transitive 3.3.9
CVE-2024-56337 Critical 9.8 tomcat-embed-core-10.1.20.jar Transitive 3.3.7
CVE-2024-52316 Critical 9.8 tomcat-embed-core-10.1.20.jar Transitive 3.2.11
CVE-2024-50379 Critical 9.8 tomcat-embed-core-10.1.20.jar Transitive 3.3.7
CVE-2025-55754 Critical 9.6 tomcat-embed-core-10.1.20.jar Transitive 3.4.10
CVE-2026-43515 Critical 9.1 tomcat-embed-core-10.1.20.jar Transitive 3.5.15
CVE-2026-29145 Critical 9.1 tomcat-embed-core-10.1.20.jar Transitive 3.5.13
CVE-2024-38286 High 8.6 tomcat-embed-core-10.1.20.jar Transitive 3.2.7
CVE-2025-49124 High 8.4 tomcat-embed-core-10.1.20.jar Transitive N/A*
CVE-2025-66614 High 7.6 tomcat-embed-core-10.1.20.jar Transitive 3.4.13
CVE-2026-43513 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.5.15
CVE-2026-41842 High 7.5 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2026-41284 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.5.15
CVE-2026-34487 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.5.14
CVE-2026-34483 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.5.14
CVE-2026-29146 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.5.13
CVE-2026-24880 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.5.13
CVE-2025-55752 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.4.10
CVE-2025-53506 High 7.5 tomcat-embed-core-10.1.20.jar Transitive N/A*
CVE-2025-52520 High 7.5 tomcat-embed-core-10.1.20.jar Transitive N/A*
CVE-2025-49125 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.3.13
CVE-2025-48989 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.4.9
CVE-2025-48988 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.3.13
CVE-2025-48976 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.3.13
CVE-2025-31650 High 7.5 tomcat-embed-core-10.1.20.jar Transitive N/A*
CVE-2024-38819 High 7.5 spring-webmvc-6.1.6.jar Transitive 3.2.11
CVE-2024-38816 High 7.5 spring-webmvc-6.1.6.jar Transitive 3.2.10
CVE-2024-34750 High 7.5 tomcat-embed-core-10.1.20.jar Transitive 3.2.7
CVE-2026-24734 High 7.4 tomcat-embed-core-10.1.20.jar Transitive 3.5.11
CVE-2026-42498 High 7.3 tomcat-embed-core-10.1.20.jar Transitive 3.5.15
CVE-2025-46701 High 7.3 tomcat-embed-core-10.1.20.jar Transitive N/A*
CVE-2026-24733 Medium 6.5 tomcat-embed-core-10.1.20.jar Transitive 3.4.13
CVE-2025-55668 Medium 6.5 tomcat-embed-core-10.1.20.jar Transitive 3.3.13
CVE-2024-52317 Medium 6.5 tomcat-embed-core-10.1.20.jar Transitive 3.2.11
CVE-2026-25854 Medium 6.1 tomcat-embed-core-10.1.20.jar Transitive 3.5.13
CVE-2026-41846 Medium 5.9 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2026-41843 Medium 5.9 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2026-41841 Medium 5.9 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2026-22737 Medium 5.9 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2025-41242 Medium 5.9 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2026-22745 Medium 5.3 spring-webmvc-6.1.6.jar Transitive 3.5.14
CVE-2025-61795 Medium 5.3 tomcat-embed-core-10.1.20.jar Transitive 3.4.11
CVE-2026-41844 Medium 4.2 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2026-43514 Low 3.7 tomcat-embed-core-10.1.20.jar Transitive 3.5.15
CVE-2026-22741 Low 3.1 spring-webmvc-6.1.6.jar Transitive N/A*
CVE-2026-22735 Low 2.6 spring-webmvc-6.1.6.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2026-43512

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Publish Date: 2026-05-12

URL: CVE-2026-43512

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.55

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.15

Step up your Open Source Security Game with Mend here

CVE-2026-41293

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Publish Date: 2026-05-12

URL: CVE-2026-41293

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.55

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.15

Step up your Open Source Security Game with Mend here

CVE-2025-31651

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-04-28

URL: CVE-2025-31651

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3

Release Date: 2025-04-28

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.40

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.11

Step up your Open Source Security Game with Mend here

CVE-2025-24813

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)

  • support for partial PUT (enabled by default)
  • a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
    - attacker knowledge of the names of security sensitive files being uploaded
    - the security sensitive files also being uploaded via partial PUT
    If all of the following were true, a malicious user was able to perform remote code execution:
  • writes enabled for the default servlet (disabled by default)
    - support for partial PUT (enabled by default)
    - application was using Tomcat's file based session persistence with the default storage location
    - application included a library that may be leveraged in a deserialization attack
    Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
    Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-03-10

URL: CVE-2025-24813

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-24813

Release Date: 2025-03-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.35

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.9

Step up your Open Source Security Game with Mend here

CVE-2024-56337

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:

  • running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
  • running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
  • running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
    Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
    Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-12-20

URL: CVE-2024-56337

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-12-20

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7

Step up your Open Source Security Game with Mend here

CVE-2024-52316

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-11-18

URL: CVE-2024-52316

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-11-18

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.11

Step up your Open Source Security Game with Mend here

CVE-2024-50379

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-12-17

URL: CVE-2024-50379

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-12-17

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7

Step up your Open Source Security Game with Mend here

CVE-2025-55754

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Publish Date: 2025-10-27

URL: CVE-2025-55754

CVSS 3 Score Details (9.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd

Release Date: 2025-10-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.45

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.10

Step up your Open Source Security Game with Mend here

CVE-2026-43515

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Publish Date: 2026-05-12

URL: CVE-2026-43515

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.55

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.15

Step up your Open Source Security Game with Mend here

CVE-2026-29145

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-29145

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.53

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.13

Step up your Open Source Security Game with Mend here

CVE-2024-38286

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.
Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-11-07

URL: CVE-2024-38286

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2024/q3/264

Release Date: 2024-11-07

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.7

Step up your Open Source Security Game with Mend here

CVE-2025-49124

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-49124

CVSS 3 Score Details (8.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-16

Fix Resolution: https://github.com/apache/tomcat.git - 11.0.8,https://github.com/apache/tomcat.git - 10.1.42,https://github.com/apache/tomcat.git - 9.0.106

Step up your Open Source Security Game with Mend here

CVE-2025-66614

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Improper Input Validation vulnerability.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.
The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.
Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.

Publish Date: 2026-02-17

URL: CVE-2025-66614

CVSS 3 Score Details (7.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7

Release Date: 2026-02-17

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.50

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.13

Step up your Open Source Security Game with Mend here

CVE-2026-43513

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Publish Date: 2026-05-12

URL: CVE-2026-43513

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.55

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.15

Step up your Open Source Security Game with Mend here

CVE-2026-41842

Vulnerable Library - spring-webmvc-6.1.6.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/6.1.6/spring-webmvc-6.1.6.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-webmvc-6.1.6.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources.Affected versions:Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Publish Date: 2026-06-09

URL: CVE-2026-41842

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-41842

Release Date: 2026-06-09

Fix Resolution: org.springframework:spring-webmvc:7.0.8,org.springframework:spring-webmvc:6.2.19,https://github.com/spring-projects/spring-framework.git - v7.0.8,https://github.com/spring-projects/spring-framework.git - v6.2.19,org.springframework:spring-webflux:7.0.8,org.springframework:spring-webflux:6.2.19

Step up your Open Source Security Game with Mend here

CVE-2026-41284

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Publish Date: 2026-05-12

URL: CVE-2026-41284

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.55

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.15

Step up your Open Source Security Game with Mend here

CVE-2026-34487

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-34487

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.54

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.14

Step up your Open Source Security Game with Mend here

CVE-2026-34483

Vulnerable Library - tomcat-embed-core-10.1.20.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.2.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.2.5.jar
      • tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262

Found in base branch: master

Vulnerability Details

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Publish Date: 2026-04-09

URL: CVE-2026-34483

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-04-09

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.54

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.14

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions