6.5

CVE-2026-24733

Improper Input Validation vulnerability in Apache Tomcat.


Tomcat did not limit HTTP/0.9 requests to the GET method. If a security 
constraint was configured to allow HEAD requests to a URI but deny GET 
requests, the user could bypass that constraint on GET requests by 
sending a (specification invalid) HEAD request using HTTP/0.9.


This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.


Older, EOL versions are also affected.

Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version >= 9.0.1 < 9.0.113
ApacheTomcat Version >= 10.1.1 < 10.1.50
ApacheTomcat Version >= 11.0.1 < 11.0.15
ApacheTomcat Version9.0.0 Updatemilestone1
ApacheTomcat Version9.0.0 Updatemilestone10
ApacheTomcat Version9.0.0 Updatemilestone11
ApacheTomcat Version9.0.0 Updatemilestone12
ApacheTomcat Version9.0.0 Updatemilestone13
ApacheTomcat Version9.0.0 Updatemilestone14
ApacheTomcat Version9.0.0 Updatemilestone15
ApacheTomcat Version9.0.0 Updatemilestone16
ApacheTomcat Version9.0.0 Updatemilestone17
ApacheTomcat Version9.0.0 Updatemilestone18
ApacheTomcat Version9.0.0 Updatemilestone19
ApacheTomcat Version9.0.0 Updatemilestone2
ApacheTomcat Version9.0.0 Updatemilestone20
ApacheTomcat Version9.0.0 Updatemilestone21
ApacheTomcat Version9.0.0 Updatemilestone22
ApacheTomcat Version9.0.0 Updatemilestone23
ApacheTomcat Version9.0.0 Updatemilestone24
ApacheTomcat Version9.0.0 Updatemilestone25
ApacheTomcat Version9.0.0 Updatemilestone26
ApacheTomcat Version9.0.0 Updatemilestone27
ApacheTomcat Version9.0.0 Updatemilestone3
ApacheTomcat Version9.0.0 Updatemilestone4
ApacheTomcat Version9.0.0 Updatemilestone5
ApacheTomcat Version9.0.0 Updatemilestone6
ApacheTomcat Version9.0.0 Updatemilestone7
ApacheTomcat Version9.0.0 Updatemilestone8
ApacheTomcat Version9.0.0 Updatemilestone9
ApacheTomcat Version10.0.0 Updatemilestone1
ApacheTomcat Version10.0.0 Updatemilestone10
ApacheTomcat Version10.0.0 Updatemilestone2
ApacheTomcat Version10.0.0 Updatemilestone3
ApacheTomcat Version10.0.0 Updatemilestone4
ApacheTomcat Version10.0.0 Updatemilestone5
ApacheTomcat Version10.0.0 Updatemilestone6
ApacheTomcat Version10.0.0 Updatemilestone7
ApacheTomcat Version10.0.0 Updatemilestone8
ApacheTomcat Version10.0.0 Updatemilestone9
ApacheTomcat Version11.0.0 Updatemilestone1
ApacheTomcat Version11.0.0 Updatemilestone10
ApacheTomcat Version11.0.0 Updatemilestone11
ApacheTomcat Version11.0.0 Updatemilestone12
ApacheTomcat Version11.0.0 Updatemilestone13
ApacheTomcat Version11.0.0 Updatemilestone14
ApacheTomcat Version11.0.0 Updatemilestone15
ApacheTomcat Version11.0.0 Updatemilestone16
ApacheTomcat Version11.0.0 Updatemilestone17
ApacheTomcat Version11.0.0 Updatemilestone18
ApacheTomcat Version11.0.0 Updatemilestone19
ApacheTomcat Version11.0.0 Updatemilestone2
ApacheTomcat Version11.0.0 Updatemilestone20
ApacheTomcat Version11.0.0 Updatemilestone21
ApacheTomcat Version11.0.0 Updatemilestone22
ApacheTomcat Version11.0.0 Updatemilestone23
ApacheTomcat Version11.0.0 Updatemilestone24
ApacheTomcat Version11.0.0 Updatemilestone25
ApacheTomcat Version11.0.0 Updatemilestone26
ApacheTomcat Version11.0.0 Updatemilestone3
ApacheTomcat Version11.0.0 Updatemilestone4
ApacheTomcat Version11.0.0 Updatemilestone5
ApacheTomcat Version11.0.0 Updatemilestone6
ApacheTomcat Version11.0.0 Updatemilestone7
ApacheTomcat Version11.0.0 Updatemilestone8
ApacheTomcat Version11.0.0 Updatemilestone9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.402
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.