VDB

ANCHORE-2026-29146

ANCHORE-2026-29146 PUBLISHED

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Affected Products

VendorProductVersions
Apache Software FoundationApache Tomcat Catalina11.0.0-M1, 10.0.0-M1, 9.0.13
Apache Software FoundationApache Tomcat Embed11.0.0-M1, 10.0.0-M1, 9.0.13
Apache Software FoundationApache Tomcat11.0.0-M1, 10.0.0-M1, 9.0.13

Timeline

  • Apr 9, 2026 CVE Published
  • Apr 9, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›