cbcvebase.
CVE-2026-41293
published 2026-05-12

CVE-2026-41293: Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.34%
67.8th percentile
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Affected

13 ranges
VendorProductVersion rangeFixed in
apachetomcat10.0.0 – 10.0.27
apachetomcat>= 10.1.0 < 10.1.5510.1.55
apachetomcat>= 11.0.0 < 11.0.2211.0.22
apachetomcat8.5.0 – 8.5.100
apachetomcat>= 9.0.0 < 9.0.1189.0.118
apache_software_foundationapache_tomcat10.0.0-M1 – 10.0.27
apache_software_foundationapache_tomcat10.1.0-M1 – 10.1.54
apache_software_foundationapache_tomcat11.0.0-M1 – 11.0.21
apache_software_foundationapache_tomcat8.5.0 – 8.5.100
apache_software_foundationapache_tomcat9.0.0.M1 – 9.0.117
ubuntutomcat10
ubuntutomcat11
ubuntutomcat9

Detection & IOCsextracted from sources · hover to see the quote

  • Target HTTP/2 traffic to Apache Tomcat — the vulnerability involves improper validation of HTTP/2 request headers, which can trigger unexpected application behavior or crash/RCE conditions.
  • Monitor for malformed or unexpected HTTP/2 header field values reaching the Servlet API on affected Tomcat versions (9.0.0.M1–9.0.117, 10.0.0-M1–10.0.27, 10.1.0-M1–10.1.54, 11.0.0-M1–11.0.21); applications may behave unexpectedly when receiving header values that bypass Tomcat's validation.
  • Inspect the tomcat-coyote component specifically (the HTTP/2 connector layer) for anomalous header processing activity, as this is the affected package.
  • ·Affected version ranges span multiple Tomcat major branches; ensure detection/patching covers all: 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, and 10.0.0-M1 through 10.0.27. Older end-of-support versions may also be affected.
  • ·The vulnerability is specific to HTTP/2; deployments that do not expose HTTP/2 (e.g., HTTP/1.1-only configurations) are not directly affected by this header validation bypass.
  • ·Red Hat JBoss Web Server 6 (tomcat-coyote package) is explicitly listed as affected; JBoss/EAP deployments should be assessed separately in addition to standalone Tomcat.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.