VDB
CVE-2026-41284
CVE-2026-41284
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
EPSS 0.05% · 16.3th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.05%
16.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache Tomcat | 9.0.0.M1, 10.0.0-M1, 8.5.0 |
Timeline
- May 12, 2026 CVE Published
- May 13, 2026 Security Advisory
- May 18, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qc vendor-advisory
- http://www.openwall.com/lists/oss-security/2026/05/12/12 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-41284 advisory
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.118 advisory
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.55 advisory
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.22 advisory