CVE-2026-41293
published 2026-05-12CVE-2026-41293: Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.34%
67.8th percentile
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | 10.0.0 – 10.0.27 | — |
| apache | tomcat | >= 10.1.0 < 10.1.55 | 10.1.55 |
| apache | tomcat | >= 11.0.0 < 11.0.22 | 11.0.22 |
| apache | tomcat | 8.5.0 – 8.5.100 | — |
| apache | tomcat | >= 9.0.0 < 9.0.118 | 9.0.118 |
| apache_software_foundation | apache_tomcat | 10.0.0-M1 – 10.0.27 | — |
| apache_software_foundation | apache_tomcat | 10.1.0-M1 – 10.1.54 | — |
| apache_software_foundation | apache_tomcat | 11.0.0-M1 – 11.0.21 | — |
| apache_software_foundation | apache_tomcat | 8.5.0 – 8.5.100 | — |
| apache_software_foundation | apache_tomcat | 9.0.0.M1 – 9.0.117 | — |
| ubuntu | tomcat10 | — | — |
| ubuntu | tomcat11 | — | — |
| ubuntu | tomcat9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target HTTP/2 traffic to Apache Tomcat — the vulnerability involves improper validation of HTTP/2 request headers, which can trigger unexpected application behavior or crash/RCE conditions. ↗
- →Monitor for malformed or unexpected HTTP/2 header field values reaching the Servlet API on affected Tomcat versions (9.0.0.M1–9.0.117, 10.0.0-M1–10.0.27, 10.1.0-M1–10.1.54, 11.0.0-M1–11.0.21); applications may behave unexpectedly when receiving header values that bypass Tomcat's validation. ↗
- →Inspect the tomcat-coyote component specifically (the HTTP/2 connector layer) for anomalous header processing activity, as this is the affected package. ↗
- ·Affected version ranges span multiple Tomcat major branches; ensure detection/patching covers all: 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, and 10.0.0-M1 through 10.0.27. Older end-of-support versions may also be affected. ↗
- ·The vulnerability is specific to HTTP/2; deployments that do not expose HTTP/2 (e.g., HTTP/1.1-only configurations) are not directly affected by this header validation bypass. ↗
- ·Red Hat JBoss Web Server 6 (tomcat-coyote package) is explicitly listed as affected; JBoss/EAP deployments should be assessed separately in addition to standalone Tomcat. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache Tomcat up to 11.0.21 input validation (Nessus ID 314487)
vuldb·2026-05-19·CVSS 9.8
CVE-2026-41293 [CRITICAL] Apache Tomcat up to 11.0.21 input validation (Nessus ID 314487)
A vulnerability has been found in Apache Tomcat up to 8.5.100/9.0.117/10.0.27/10.1.54/11.0.21 and classified as critical. Affected is an unknown function. The manipulation leads to improper input validation.
This vulnerability is referenced as CVE-2026-41293. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
GHSA
Apache Tomcat - HTTP/2 request headers not validated
ghsa·2026-05-12
CVE-2026-41293 [CRITICAL] CWE-20 Apache Tomcat - HTTP/2 request headers not validated
Apache Tomcat - HTTP/2 request headers not validated
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.21
Apache Tomcat 10.1.0-M1 to 10.1.54
Apache Tomcat 9.0.0.M1 to 9.0.117
Older, unsupported versions may also be affected
Description:
HTTP/2 request headers were not validated which may have triggered
unexpected application behaviour if the application (quite reasonably)
assumed that header value exposed through the Servlet API would be
specification compliant.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.22 or later
- Upgrade to Apache Tomcat 10.1.55 or later
- Upgrade to Apache Tomcat 9.0.118 or later
Credit:
This issue was identified by Dawit Jeong (@dawitngoliath)
GHSA
GHSA-r29c-68gh-xp6x: Improper Input Validation vulnerability in Apache Tomcat
ghsa_unreviewed·2026-05-12
CVE-2026-41293 CWE-20 GHSA-r29c-68gh-xp6x: Improper Input Validation vulnerability in Apache Tomcat
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2026-06-18·CVSS 7.5
CVE-2026-42498 [HIGH] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
possibly use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could possibly use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrec
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2026-06-10·CVSS 7.5
CVE-2026-41284 [HIGH] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrectly handled digest
Red Hat
tomcat-coyote: Apache Tomcat: HTTP/2 request headers not validated
vendor_redhat·2026-05-12·CVSS 9.8
CVE-2026-41293 [CRITICAL] CWE-1286 tomcat-coyote: Apache Tomcat: HTTP/2 request headers not validated
tomcat-coyote: Apache Tomcat: HTTP/2 request headers not validated
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Apache Tomcat did not validate HTTP/2 request headers, triggering unexpected application behavior, as applications may presume that header values exposed through the Servlet API would be valid.
Package: tomcat-coyote (Red Hat JBoss Web Server 6) - Affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-41293 tomcat-coyote: Apache Tomcat: HTTP/2 request headers not validated
bugzilla·2026-05-12·CVSS 9.8
CVE-2026-41293 [CRITICAL] CVE-2026-41293 tomcat-coyote: Apache Tomcat: HTTP/2 request headers not validated
CVE-2026-41293 tomcat-coyote: Apache Tomcat: HTTP/2 request headers not validated
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
2026-05-12
Published