Improper Input Validation Vulnerability in Apache Tomcat by Apache
CVE-2026-41293

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-41293?

An improper input validation vulnerability has been identified in Apache Tomcat, affecting various versions across different branches. This flaw allows for potentially malicious input to be processed, which could lead to unintended behaviors or security issues. It is crucial for users running affected versions to upgrade to the latest releases to ensure their systems are secure and resilient against potential exploits.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.21

Apache Tomcat 10.1.0-M1 <= 10.1.54

Apache Tomcat 9.0.0.M1 <= 9.0.117

References

https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll55...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Dawit Jeong (@dawitngoliath)

CVE-2026-41293 Data

JSON