Description
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Published: 2026-04-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Input Validation leading to potential misuse of Tomcat services
Action: Immediate Patch
AI Analysis

Impact

This vulnerability stems from an incomplete fix applied to a prior issue (CVE-2025-66614). The improper input validation allows crafted requests to the Tomcat server to potentially manipulate internal data structures or trigger abnormal behavior. The weakness corresponds to identified CWEs indicating unsafe handling of input sizes and boundary checks, increasing the likelihood of successful exploitation if an attacker can supply malicious input.

Affected Systems

The affected product is Apache Tomcat, specifically versions from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, and from 9.0.113 through 9.0.115. These releases are distributed by the Apache Software Foundation and are commonly used in enterprise Java web applications.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium range, while an EPSS score of less than 1% indicates a low probability of exploitation at present. It is not listed in the CISA KEV catalog, suggesting no known widespread attacks. The likely attack vector is through HTTP requests sent to the Tomcat server, where malicious input could be crafted to trigger the improper input handling. The risk remains moderate until the product is upgraded to the patched releases listed in the advisory.

Generated by OpenCVE AI on April 14, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to the latest patched versions: 11.0.20, 10.1.53, or 9.0.116 as applicable.
  • Confirm the running Tomcat version using the catalyst command or server logs to ensure the patch has been applied.
  • If an upgrade cannot be performed immediately, isolate the affected servers behind a restrictive firewall, block suspicious input patterns, and monitor application logs for anomalous requests.

Generated by OpenCVE AI on April 14, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8mc5-53m5-3qj2 Apache Tomcat has an Improper Input Validation vulnerability
History

Tue, 14 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache tomcat
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Vendors & Products Apache tomcat

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-184
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Tomcat
Vendors & Products Apache
Apache apache Tomcat

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Title Apache Tomcat: Fix for CVE-2025-66614 is incomplete
Weaknesses CWE-20
References

Subscriptions

Apache Apache Tomcat Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T18:39:25.498Z

Reserved: 2026-03-17T13:55:48.216Z

Link: CVE-2026-32990

cve-icon Vulnrichment

Updated: 2026-04-10T18:37:37.403Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:24.810

Modified: 2026-04-14T12:47:51.797

Link: CVE-2026-32990

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T19:23:49Z

Links: CVE-2026-32990 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:50Z

Weaknesses