announce

[SECURITY] CVE-2026-34500 Apache Tomcat - OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

Thu, 09 Apr 2026 19:35:51 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-34486 Apache Tomcat - Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

Thu, 09 Apr 2026 19:34:25 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-34483 Apache Tomcat - Incomplete escaping of JSON access logs

Thu, 09 Apr 2026 19:33:23 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-34487 Apache Tomcat - Cloud membership for clustering component exposed the Kubernetes bearer token

Thu, 09 Apr 2026 19:28:37 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-32990 Apache Tomcat - The fix for CVE-2025-66614 is incomplete

Thu, 09 Apr 2026 19:27:31 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-29129 Apache Tomcat - Configured TLS cipher preference order not preserved

Thu, 09 Apr 2026 19:17:36 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-29145 Apache Tomcat and Tomcat Native - OCSP checks sometimes soft-fail even when soft-fail is disabled

Thu, 09 Apr 2026 19:17:26 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-29146 Apache Tomcat - EncryptInterceptor vulnerable to padding oracle attack by default

Thu, 09 Apr 2026 19:16:27 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-24880 Apache Tomcat - Request smuggling via invalid chunk extension

Thu, 09 Apr 2026 19:12:27 GMT

2026/04/09 -- Mark Thomas

[SECURITY] CVE-2026-25854 Apache Tomcat - Occasionally open redirect

Thu, 09 Apr 2026 19:12:08 GMT

2026/04/09 -- Mark Thomas

[ANN] Apache Tomcat 11.0.21 Available

Sat, 04 Apr 2026 12:05:36 GMT

2026/04/04 -- Mark Thomas

[ANN] Apache Tomcat 9.0.117 available

Fri, 03 Apr 2026 09:28:06 GMT

2026/04/03 -- Rémy Maucherat

[ANN] Apache Tomcat 10.1.54 Available

Fri, 03 Apr 2026 07:29:40 GMT

2026/04/03 -- Christopher Schultz

[ANN] End Of Support for Tomcat Native 1.x

Fri, 03 Apr 2026 07:24:52 GMT

2026/04/03 -- Christopher Schultz

[ANN] Apache Tomcat 10.1.53 Available

Tue, 24 Mar 2026 07:58:14 GMT

2026/03/24 -- Christopher Schultz

[ANN] Apache Tomcat 9.0.116 available

Fri, 20 Mar 2026 14:56:05 GMT

2026/03/20 -- Rémy Maucherat

[ANN] Apache Tomcat 11.0.20 Available

Fri, 20 Mar 2026 12:18:49 GMT

2026/03/20 -- Mark Thomas

[ANN] Apache Tomcat Native 1.3.7 released

Tue, 10 Mar 2026 10:46:00 GMT

2026/03/10 -- Mark Thomas

[ANN] Apache Tomcat Native 2.0.14 released

Tue, 10 Mar 2026 10:44:38 GMT

2026/03/10 -- Mark Thomas

[SECURITY] CVE-2026-24733 Apache Tomcat - Security constraint bypass with HTTP/0.9

Tue, 17 Feb 2026 18:30:50 GMT

2026/02/17 -- Mark Thomas

[SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass

Tue, 17 Feb 2026 18:26:41 GMT

2026/02/17 -- Mark Thomas

[SECURITY] CVE-2025-66614 Apache Tomcat - Client certificate verification bypass due to virtual host mapping

Tue, 17 Feb 2026 18:24:00 GMT

2026/02/17 -- Mark Thomas

[ANN] End of support for Apache Tomcat Native 1.3.x

Wed, 11 Feb 2026 12:29:36 GMT

2026/02/11 -- Mark Thomas

[ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan

Wed, 11 Feb 2026 12:25:12 GMT

2026/02/11 -- Mark Thomas

[ANN] Apache Tomcat Native 1.3.6 released

Wed, 11 Feb 2026 11:45:20 GMT

2026/02/11 -- Mark Thomas

[ANN] Apache Tomcat Native 2.0.13 released

Wed, 11 Feb 2026 10:13:28 GMT

2026/02/11 -- Mark Thomas

[ANN] Apache Tomcat 11.0.18 Available

Fri, 30 Jan 2026 10:12:46 GMT

2026/01/30 -- Mark Thomas

[ANN] Apache Tomcat 10.1.52 Available

Wed, 28 Jan 2026 10:00:32 GMT

2026/01/28 -- Christopher Schultz

[ANN] Apache Tomcat 9.0.115 available

Fri, 23 Jan 2026 16:09:16 GMT

2026/01/23 -- Rémy Maucherat

[ANN] Apache Tomcat Native 1.3.4 released

Mon, 12 Jan 2026 12:11:31 GMT

2026/01/12 -- Mark Thomas

[ANN] Apache Tomcat Native 2.0.12 released

Mon, 12 Jan 2026 12:09:17 GMT

2026/01/12 -- Mark Thomas

[ANN] Apache Tomcat 10.1.50 Available

Tue, 09 Dec 2025 08:29:04 GMT

2025/12/09 -- Christopher Schultz

[ANN] Apache Tomcat 11.0.15 Available

Mon, 08 Dec 2025 09:30:47 GMT

2025/12/08 -- Mark Thomas

[ANN] Apache Tomcat 9.0.113 available

Sun, 07 Dec 2025 15:40:25 GMT

2025/12/07 -- Rémy Maucherat

[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.10

Mon, 24 Nov 2025 22:39:39 GMT

2025/11/24 -- Mark Thomas

[ANN] Apache Tomcat 10.1.49 Available

Tue, 11 Nov 2025 07:32:29 GMT

2025/11/11 -- Christopher Schultz

[ANN] Apache Tomcat 9.0.112 available

Mon, 10 Nov 2025 16:09:20 GMT

2025/11/10 -- Rémy Maucherat

[ANN] Apache Tomcat 11.0.14 Available

Mon, 10 Nov 2025 15:44:24 GMT

2025/11/10 -- Mark Thomas

[SECURITY] CVE-2025-61795 Apache Tomcat - Delayed cleaning of multipart upload temporary files may lead to DoS

Mon, 27 Oct 2025 17:20:55 GMT

2025/10/27 -- Mark Thomas

[SECURITY] CVE-2025-55752 Apache Tomcat - Directory traversal via rewrite with possible RCE if PUT is enabled

Mon, 27 Oct 2025 17:18:27 GMT

2025/10/27 -- Mark Thomas

[SECURITY] CVE-2025-55754 Apache Tomcat - Console manipulation via escape sequences in log messages

Mon, 27 Oct 2025 17:15:24 GMT

2025/10/27 -- Mark Thomas

[ANN] Apache Tomcat 9.0.110 available

Sat, 18 Oct 2025 17:58:20 GMT

2025/10/18 -- Rémy Maucherat

[ANN] Apache Tomcat 11.0.12 Available

Sat, 18 Oct 2025 04:55:12 GMT

2025/10/18 -- Mark Thomas

[ANN] Apache Tomcat 10.1.47 Available

Sat, 18 Oct 2025 03:28:17 GMT

2025/10/18 -- Christopher Schultz

[ANN] Apache Tomcat 11.0.13 Available

Fri, 17 Oct 2025 22:43:49 GMT

2025/10/17 -- Mark Thomas

[ANN] Apache Tomcat 10.1.48 Available

Fri, 17 Oct 2025 18:31:26 GMT

2025/10/17 -- Christopher Schultz

[ANN] Apache Tomcat 9.0.111 available

Mon, 13 Oct 2025 20:43:57 GMT

2025/10/13 -- Rémy Maucherat

[ANN] Apache Tomcat 10.1.46 Available

Fri, 12 Sep 2025 14:13:23 GMT

2025/09/12 -- Christopher Schultz

[ANN] Apache Tomcat 10.1.45 Available (with IMPORTANT NOTE)

Mon, 08 Sep 2025 14:26:23 GMT

2025/09/08 -- Christopher Schultz

[ANN] Apache Tomcat 11.0.11 Available

Sun, 07 Sep 2025 16:26:50 GMT

2025/09/07 -- Mark Thomas

[ANN] Apache Tomcat 9.0.109 available

Sat, 06 Sep 2025 01:22:11 GMT

2025/09/06 -- Rémy Maucherat

[SECURITY] CVE-2025-55668 Apache Tomcat - Session fixation via rewrite valve

Wed, 13 Aug 2025 13:16:49 GMT

2025/08/13 -- Mark Thomas

[SECURITY] CVE-2025-48989 Apache Tomcat - DoS in HTP/2 - Made You Reset

Wed, 13 Aug 2025 12:09:12 GMT

2025/08/13 -- Mark Thomas

[ANN] Apache Tomcat 10.1.44 Available

Thu, 07 Aug 2025 18:41:50 GMT

2025/08/07 -- Christopher Schultz

[SECURITY] Upcoming updates to recent(ish)Tomcat CVEs

Thu, 07 Aug 2025 10:42:54 GMT

2025/08/07 -- Mark Thomas

[ANN] Apache Tomcat 11.0.10 Available

Thu, 07 Aug 2025 08:43:56 GMT

2025/08/07 -- Mark Thomas

[ANN] Apache Tomcat 9.0.108 available

Wed, 06 Aug 2025 17:56:55 GMT

2025/08/06 -- Rémy Maucherat

[SECURITY] CVE-2025-52520 Apache Tomcat - DoS in multipart upload [CORRECTION]

Fri, 11 Jul 2025 18:50:02 GMT

2025/07/11 -- Christopher Schultz

[SECURITY] CVE-2025-52520 Apache Tomcat - DoS in multipart upload

Thu, 10 Jul 2025 19:25:33 GMT

2025/07/10 -- Mark Thomas

[SECURITY] CVE-2025-53506 Apache Tomcat - DoS in HTP/2

Thu, 10 Jul 2025 19:23:43 GMT

2025/07/10 -- Mark Thomas

[SECURITY] CVE-2025-53506 Apache Tomcat - DoS in HTP/2

Thu, 10 Jul 2025 19:03:49 GMT

2025/07/10 -- Mark Thomas

[SECURITY] CVE-2025-52520 Apache Tomcat - DoS in multipart upload

Thu, 10 Jul 2025 19:01:04 GMT

2025/07/10 -- Mark Thomas

[SECURITY] CVE-2025-52434 Apache Tomcat -APR/native Connector crash leading to DoS

Thu, 10 Jul 2025 18:59:05 GMT

2025/07/10 -- Mark Thomas

[ANN] Apache Tomcat 9.0.107 available

Fri, 04 Jul 2025 21:03:55 GMT

2025/07/04 -- Rémy Maucherat

[ANN] Apache Tomcat 11.0.9 Available

Fri, 04 Jul 2025 20:11:29 GMT

2025/07/04 -- Mark Thomas

[ANN] Apache Tomcat 10.1.43 Available

Fri, 04 Jul 2025 20:05:06 GMT

2025/07/04 -- Christopher Schultz

[SECURITY] CVE-2025-49124 Apache Tomcat - Side-loading via Tomcat installer for Windows

Mon, 16 Jun 2025 14:20:39 GMT

2025/06/16 -- Mark Thomas

[SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources

Mon, 16 Jun 2025 14:15:12 GMT

2025/06/16 -- Mark Thomas

[SECURITY] CVE-2025-48988 Apache Tomcat - DoS in multipart upload

Mon, 16 Jun 2025 14:09:03 GMT

2025/06/16 -- Mark Thomas

[SECURITY] CVE-2025-48976 Apache Tomcat - DoS in Commons FileUpload

Mon, 16 Jun 2025 14:06:36 GMT

2025/06/16 -- Mark Thomas

[ANN] Apache Tomcat 11.0.8 Available

Tue, 10 Jun 2025 10:43:10 GMT

2025/06/10 -- Mark Thomas

[ANN] Apache Tomcat 9.0.106 available

Tue, 10 Jun 2025 08:38:40 GMT

2025/06/10 -- Rémy Maucherat

[ANN] Apache Tomcat 10.1.42 Available

Tue, 10 Jun 2025 06:57:16 GMT

2025/06/10 -- Christopher Schultz

[SECURITY] CVE-2025-46701 Apache Tomcat - CGI security constraint bypass

Thu, 29 May 2025 19:04:58 GMT

2025/05/29 -- Mark Thomas

[ANN] Apache Tomcat 9.0.105 available

Mon, 12 May 2025 21:05:56 GMT

2025/05/12 -- Rémy Maucherat

[ANN] Apache Tomcat 10.1.41 Available

Mon, 12 May 2025 17:38:02 GMT

2025/05/12 -- Christopher Schultz

[SECURITY] CVE-2025-31651 Apache Tomcat - Rewrite rule bypass

Mon, 28 Apr 2025 19:13:48 GMT

2025/04/28 -- Mark Thomas

[SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

Mon, 28 Apr 2025 19:11:22 GMT

2025/04/28 -- Mark Thomas

[ANN] Apache Tomcat 9.0.104 available

Wed, 09 Apr 2025 21:19:52 GMT

2025/04/09 -- Rémy Maucherat

[SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

Tue, 11 Mar 2025 17:05:43 GMT

2025/03/11 -- Mark Thomas

[ANN] Apache Tomcat 9.0.102 available

Thu, 06 Mar 2025 20:24:03 GMT

2025/03/06 -- Rémy Maucherat

The future of Tomcat 9

Tue, 25 Feb 2025 10:47:29 GMT

2025/02/25 -- Mark Thomas

[ANN] Apache Tomcat 9.0.100 available

Mon, 17 Feb 2025 13:55:57 GMT

2025/02/17 -- Rémy Maucherat

[ANN] Apache Tomcat 11.0.4 Available

Mon, 17 Feb 2025 10:45:58 GMT

2025/02/17 -- Mark Thomas

[ANN] Apache Tomcat 11.0.3 Available

Mon, 10 Feb 2025 16:11:04 GMT

2025/02/10 -- Mark Thomas

[ANN] Apache Tomcat 9.0.99 available

Mon, 10 Feb 2025 15:55:51 GMT

2025/02/10 -- Rémy Maucherat

[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.9

Tue, 21 Jan 2025 08:44:54 GMT

2025/01/21 -- Mark Thomas

[SECURITY] CVE-2024-56337 Apache Tomcat - RCE via write-enabled default servlet - CVE-2024-50379 mitigation was incomplete

Fri, 20 Dec 2024 15:27:56 GMT

2024/12/20 -- Mark Thomas

[SECURITY] CVE-2024-54677 Apache Tomcat - DoS in examples web application

Tue, 17 Dec 2024 12:32:50 GMT

2024/12/17 -- Mark Thomas

[SECURITY] CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet

Tue, 17 Dec 2024 12:27:45 GMT

2024/12/17 -- Mark Thomas

[ANN] Apache Tomcat 9.0.98 available

Mon, 09 Dec 2024 15:04:19 GMT

2024/12/09 -- Rémy Maucherat

[ANN] Apache Tomcat 11.0.2 Available

Mon, 09 Dec 2024 13:21:31 GMT

2024/12/09 -- Mark Thomas

[SECURITY] CVE-2024-52316 Apache Tomcat - Authentication Bypass

Tue, 19 Nov 2024 01:13:50 GMT

2024/11/19 -- Mark Thomas

[SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up

Mon, 18 Nov 2024 14:12:35 GMT

2024/11/18 -- Mark Thomas

[SECURITY] CVE-2024-52318 Apache Tomcat - XSS in generated JSPs

Mon, 18 Nov 2024 12:19:02 GMT

2024/11/18 -- Mark Thomas

[SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up

Mon, 18 Nov 2024 11:23:55 GMT

2024/11/18 -- Mark Thomas

[ANN] Apache Tomcat 10.1.33 Available

Mon, 11 Nov 2024 15:26:33 GMT

2024/11/11 -- Christopher Schultz

[ANN] Apache Tomcat 9.0.97 available

Sat, 09 Nov 2024 14:08:38 GMT

2024/11/09 -- Rémy Maucherat

[ANN] Apache Tomcat 11.0.0 Available

Wed, 09 Oct 2024 17:09:19 GMT

2024/10/09 -- Mark Thomas

[ANN] Apache Tomcat 9.0.96 available

Tue, 08 Oct 2024 13:37:20 GMT

2024/10/08 -- Rémy Maucherat