CVE-2026-32990

CWE-20 — Improper Input Validation CWE-18410 documents9 sources

Severity

5.3MEDIUM

No vector

EPSS

0.0%

top 87.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat

Timeline

PublishedApr 9

Latest updateApr 10

Description

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Affected Packages4 packages

▶Mavenorg.apache.tomcat:tomcat9.0.113 — 9.0.116+2

▶Mavenorg.apache.tomcat:tomcat-catalina9.0.113 — 9.0.116+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.113 — 9.0.116+2

▶CVEListV5apache_software_foundation/apache_tomcat11.0.15 — 11.0.19+2

🔴Vulnerability Details

CVEList

Apache Tomcat: Fix for CVE-2025-66614 is incomplete↗2026-04-09

▶

VulDB

Apache Tomcat up to 9.0.115/10.1.52/11.0.19 input validation↗2026-04-09

▶

GHSA

Apache Tomcat has an Improper Input Validation vulnerability↗2026-04-09

▶

GHSA

GHSA-8mc5-53m5-3qj2: Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614↗2026-04-09

▶

📋Vendor Advisories

Red Hat

Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix↗2026-04-09

▶

Oracle

Oracle Oracle Communications Risk Matrix: Platform (GnuTLS) — CVE-2025-32990↗2026-01-15

▶

Apache

Apache tomcat: CVE-2025-66614↗

▶

💬Community

Bugzilla

CVE-2026-32990 tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-32990 Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix↗2026-04-09

▶