DEBIAN-CVE-2026-24880

DEBIAN-CVE-2026-24880 PUBLISHED CVSS 7.5 HIGH

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products

Vendor	Product	Versions
Debian:13	tomcat9	0, 0
Debian:14	tomcat11	0, 11.0.6-1, 11.0.18-1
Debian:12	tomcat9	0, 0
Debian:13	tomcat10	0, 10.1.54-1, 10.1.54-1
Debian:12	tomcat10	10.1.35-1, 10.1.15-1, 0
Debian:11	tomcat9	0, 9.0.63-1, 9.0.64-1
Debian:13	tomcat11	11.0.15-1~deb13u1, 11.0.18-1, 11.0.21-1
Debian:14	tomcat10	10.1.52-2, 0, 10.1.40-1
Debian:14	tomcat9	0, 0

Exploit Intelligence

suppressions.xml (github-poc)

Timeline

Apr 9, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-24880 advisory

Open in Interactive Console →