[UPDATE] [medium] Apache Tomcat and Tomcat Native: Multiple vulnerabilities
An attacker can exploit multiple vulnerabilities in Apache Tomcat to bypass security measures, manipulate data, disclose confidential information, conduct open redirect attacks, and carry out other unspecified attacks.
CSIRTS triage
- What
- An attacker can exploit multiple vulnerabilities in Apache Tomcat to bypass security measures, manipulate data, disclose confidential information, conduct open redirect attacks, and carry out other unspecified attacks.
- Who is affected
- Deployments of Apache Tomcat.
- Urgency
- Remediation is medium urgency due to the variety of potential attacks.
- Action
- Apply patches as they become available.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Tomcat
Get an email when a new Tomcat advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1038
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Elevated exploitation riskCVE-2026-3448621.7% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 97% of all scored CVEs.
- Low exploitation riskCVE-2026-248800.45% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 36% of all scored CVEs.
- Low exploitation riskCVE-2026-258540.53% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 41% of all scored CVEs.
- Low exploitation riskCVE-2026-291290.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all scored CVEs.
- Low exploitation riskCVE-2026-291450.71% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 49% of all scored CVEs.
- Moderate exploitation riskCVE-2026-291465.0% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 91% of all scored CVEs.
- Low exploitation riskCVE-2026-329900.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
- Low exploitation riskCVE-2026-344830.46% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
- Low exploitation riskCVE-2026-344870.45% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 36% of all scored CVEs.
- Low exploitation riskCVE-2026-345000.47% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-34486 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-24880 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-25854 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-29129 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-29145 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-29146 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-32990 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-34483 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-34487 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-34500 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for Apache Tomcat and
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- medium[UPDATE] [medium] Apache Tomcat: Multiple vulnerabilitiescert-bund · 2026-07-09
- high[UPDATE] [high] Apache Tomcat: Multiple vulnerabilitiescert-bund · 2026-07-02
- unknownApache Tomcat Multiple Vulnerabilitieshkcert · 2026-07-02
- unknownMultiple vulnerabilities in Apache Tomcat (June 30, 2026)cert-fr-avis · 2026-06-30
- highCVE-2026-55957: Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was …nvd · 2026-06-29
- mediumCVE-2026-55956: Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified …nvd · 2026-06-29
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10