CVE-2026-24880HTTP Request Smuggling in Software Foundation Apache Tomcat

CWE-444HTTP Request Smuggling8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 55.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Software Foundation Apache Tomcat
Timeline
PublishedApr 9
Latest updateApr 10

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.18+4

🔴Vulnerability Details

4
GHSA
GHSA-563x-q5rq-57qp: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension2026-04-09
CVEList
Apache Tomcat: Request smuggling via invalid chunk extension2026-04-09
GHSA
Apache Tomcat has an HTTP Request/Response Smuggling vulnerability2026-04-09
VulDB
Apache Tomcat up to 11.0.18 HTTP Request request smuggling2026-04-09

📋Vendor Advisories

1
Red Hat
Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension2026-04-09

💬Community

2
Bugzilla
CVE-2026-24880 tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension [fedora-all]2026-04-10
Bugzilla
CVE-2026-24880 Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension2026-04-09
CVE-2026-24880 — HTTP Request Smuggling | cvebase