{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32990", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-17T13:55:48.216Z", "datePublished": "2026-04-09T19:23:49.618Z", "dateUpdated": "2026-04-10T18:39:25.498Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.19", "status": "affected", "version": "11.0.15", "versionType": "semver"}, {"lessThanOrEqual": "10.1.52", "status": "affected", "version": "10.1.50", "versionType": "semver"}, {"lessThanOrEqual": "9.0.115", "status": "affected", "version": "9.0.113", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "zhengg"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.</p><p>This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.</p>"}], "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:23:49.618Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: Fix for CVE-2025-66614 is incomplete", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:38:40.304932Z", "id": "CVE-2026-32990", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:39:25.498Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32990", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:38:40.304932Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:37:37.403Z"}}], "cna": {"title": "Apache Tomcat: Fix for CVE-2025-66614 is incomplete", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "zhengg"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.15", "versionType": "semver", "lessThanOrEqual": "11.0.19"}, {"status": "affected", "version": "10.1.50", "versionType": "semver", "lessThanOrEqual": "10.1.52"}, {"status": "affected", "version": "9.0.113", "versionType": "semver", "lessThanOrEqual": "9.0.115"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.</p><p>This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:23:49.618Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32990", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:39:25.498Z", "dateReserved": "2026-03-17T13:55:48.216Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:23:49.618Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C1B78A4-9291-45F2-8A32-B6C5DB17AB05", "versionEndExcluding": "9.0.116", "versionStartIncluding": "9.0.113", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "216DAD3C-4186-4501-BE76-71EAAFCD4330", "versionEndExcluding": "10.1.53", "versionStartIncluding": "10.1.50", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "0369EA67-355F-4E24-B5EE-6E7775EB3C31", "versionEndExcluding": "11.0.20", "versionStartIncluding": "11.0.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "id": "CVE-2026-32990", "lastModified": "2026-04-14T12:47:51.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:24.810", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix", "id": "2457025", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457025"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-184", "details": ["A flaw was found in Apache Tomcat. This improper input validation vulnerability stems from an incomplete fix for a previous security issue (CVE-2025-66614). This flaw may allow an attacker to bypass security controls or cause unexpected behavior within the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-32990", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:23:49Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32990\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32990\nhttps://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"], "statement": "Moderate impact. This improper input validation vulnerability in Apache Tomcat, stemming from an incomplete fix for CVE-2025-66614, affects Red Hat JBoss Web Server and Red Hat Enterprise Linux. An attacker could exploit this flaw to bypass security controls or induce unexpected application behavior.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.15,11.0.19]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.50,10.1.52]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.113,9.0.115]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "apache_tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T14:37:00.593940+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to the latest patched versions: 11.0.20, 10.1.53, or 9.0.116 as applicable.", "Confirm the running Tomcat version using the catalyst command or server logs to ensure the patch has been applied.", "If an upgrade cannot be performed immediately, isolate the affected servers behind a restrictive firewall, block suspicious input patterns, and monitor application logs for anomalous requests."], "summary": {"action": "Immediate Patch", "impact": "Improper Input Validation leading to potential misuse of Tomcat services"}, "threat_synthesis": {"affected_systems": "The affected product is Apache Tomcat, specifically versions from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, and from 9.0.113 through 9.0.115. These releases are distributed by the Apache Software Foundation and are commonly used in enterprise Java web applications.", "description_and_impact": "This vulnerability stems from an incomplete fix applied to a prior issue (CVE-2025-66614). The improper input validation allows crafted requests to the Tomcat server to potentially manipulate internal data structures or trigger abnormal behavior. The weakness corresponds to identified CWEs indicating unsafe handling of input sizes and boundary checks, increasing the likelihood of successful exploitation if an attacker can supply malicious input.", "risk_and_exploitability": "The CVSS score of 5.3 places the vulnerability in the medium range, while an EPSS score of less than 1% indicates a low probability of exploitation at present. It is not listed in the CISA KEV catalog, suggesting no known widespread attacks. The likely attack vector is through HTTP requests sent to the Tomcat server, where malicious input could be crafted to trigger the improper input handling. The risk remains moderate until the product is upgraded to the patched releases listed in the advisory."}}}}, "created": "2026-04-10T08:38:54.559272+00:00", "updated": "2026-04-14T16:36:50.302321+00:00", "vendors": ["apache", "apache$PRODUCT$apache_tomcat"]}