Zero Day MonitorZDM

← Back to list

—

CVE-2026-41284EXPLOITEDPATCHED

apache · tomcat

Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Affected Products

Vendor	Product	Versions
apache	tomcat	11.0.0-M1, 10.1.0-M1, 9.0.0.M1, 10.0.0-M1, 8.5.0, 4.0

References

https://lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qc(vendor-advisory)

Related News (3 articles)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans Apache Tomcat (13 mai 2026)

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-41284 | Apache Tomcat up to 11.0.21 allocation of resources

→ No new info (linked only)

Tier C

oss-security2d ago

CVE-2026-41284: Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qc

CWECWE-770

PublishedMay 12, 2026

Last enriched1d agov3

Trending Score52

Source articles3

Independent3

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

CRITICALCVE-2026-41293EXP

Apache Tomcat: HTTP/2 request headers not validated

CRITICALCVE-2026-43515EXP

Apache Tomcat: Security constraints not correctly applied

NONECVE-2026-42498EXP

Apache Tomcat: WebSocket authentication header exposure

HIGHCVE-2026-29129EXP

Apache Tomcat: TLS cipher order is not preserved

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 12, 2026

Discovered by ZDM

May 12, 2026

Updated: severity, affectedVersions, exploitAvailable, activelyExploited

May 12, 2026

Updated: description, severity

May 12, 2026

Actively Exploited

May 13, 2026

Exploit Available

May 13, 2026

Patch Available

May 13, 2026

Version History

v3

Last enriched 1d ago

v3Tier C1d ago

Updated description with new details, changed severity to MEDIUM, and noted that no exploit exists.

descriptionseverity

via VulDB

v2Tier C1d ago

Updated severity to LOW, added new affected versions, and marked exploit availability and active exploitation status as true.

severityaffectedVersionsexploitAvailableactivelyExploited

via oss-security

v11d ago

Initial creation