vulnerability

Apache Tomcat: Moderate: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:P/I:N/A:N)	May 19, 2026	May 19, 2026	May 19, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

May 19, 2026

Added

May 19, 2026

Modified

May 19, 2026

Description

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Solutions

apache-tomcat-upgrade-10_1_53apache-tomcat-upgrade-11_0_20apache-tomcat-upgrade-9_0_116

References

CVE-2026-32990
https://attackerkb.com/topics/CVE-2026-32990
CWE-20
EUVD-EUVD-2026-21018
http://tomcat.apache.org/security-10.html
http://tomcat.apache.org/security-11.html
http://tomcat.apache.org/security-9.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-21018

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report