VDB
CVE-2026-41293
CVE-2026-41293
PUBLISHED
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
EPSS 0.25% · 48.8th percentile
Risk Scores
EPSS Score
0.25%
48.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache Tomcat | 11.0.0-M1, 10.1.0-M1, 9.0.0.M1 |
Timeline
- May 12, 2026 CVE Published
- May 12, 2026 PoC Published
- May 13, 2026 Security Advisory
- May 18, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.118 advisory
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.55 advisory
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.22 advisory
- https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r vendor-advisory
- http://www.openwall.com/lists/oss-security/2026/05/12/13 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-41293 advisory