org.apache.tomcat:tomcat-coyote (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.tomcat:tomcat-coyote, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (28)
CVE-2017-5651 — CVSS 9.8 (critical): In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file…
CVE-2025-66614 — CVSS 9.1 (critical): Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49…
CVE-2019-0199 — CVSS 7.5 (high): The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS…
CVE-2020-13934 — CVSS 7.5 (high): An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1…
CVE-2026-24880 — CVSS 7.5 (high): Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk…
CVE-2020-17527 — CVSS 7.5 (high): While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could…
CVE-2021-25122 — CVSS 7.5 (high): When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could…
CVE-2022-42252 — CVSS 7.5 (high): If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP…
CVE-2023-24998 — CVSS 7.5 (high): Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker…
CVE-2023-28709 — CVSS 7.5 (high): The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to…
CVE-2023-34981 — CVSS 7.5 (high): A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any…
CVE-2025-48989 — CVSS 7.5 (high): Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue…
CVE-2026-24734 — CVSS 7.5 (high): Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's…
CVE-2024-34750 — CVSS 7.5 (high): Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2…
CVE-2025-31650 — CVSS 7.5 (high): Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in…
CVE-2025-53506 — CVSS 7.5 (high): Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that…
CVE-2026-29129 — CVSS 7.5 (high): Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through…
CVE-2024-24549 — CVSS 7.5 (high): Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request…
CVE-2016-6816 — CVSS 7.1 (high): The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the…
CVE-2024-52317 — CVSS 6.5 (medium): Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2…
CVE-2023-42794 — CVSS 5.9 (medium): Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through…
CVE-2026-32990 — CVSS 5.3 (medium): Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from…
CVE-2023-45648 — CVSS 5.3 (medium): Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from…
CVE-2024-21733 — CVSS 5.3 (medium): Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7…
CVE-2014-0095 — CVSS 5.0 (medium): java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service…
CVE-2014-0075 — CVSS 5.0 (medium): Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before…
CVE-2020-13943 — CVSS 4.3 (medium): If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum…