Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2811 articles · 175088 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-41293EXPLOITEDPATCHED
apache · tomcat

Apache Tomcat: HTTP/2 request headers not validated

Description

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Affected Products

VendorProductVersions
apachetomcatmaven/org.apache.tomcat.embed:tomcat-embed-core: < 9.0.118, maven/org.apache.tomcat.embed:tomcat-embed-core: >= 10.1.0-M1, < 10.1.55, maven/org.apache.tomcat.embed:tomcat-embed-core: >= 11.0.0-M1, < 11.0.22, maven/org.apache.tomcat:tomcat: < 9.0.118, maven/org.apache.tomcat:tomcat: >= 10.1.0-M1, < 10.1.55, maven/org.apache.tomcat:tomcat: >= 11.0.0-M1, < 11.0.22, maven/org.apache.tomcat:tomcat-catalina: < 9.0.118, maven/org.apache.tomcat:tomcat-catalina: >= 10.1.0-M1, < 10.1.55, maven/org.apache.tomcat:tomcat-catalina: >= 11.0.0-M1, < 11.0.22

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
atlassianbitbucketcert_advisory90%
atlassianfisheyecert_advisory90%
atlassianbamboocert_advisory90%
atlassianjiracert_advisory90%
atlassianconfluencecert_advisory90%

References

  • https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r(vendor-advisory)

Related News (7 articles)

Tier B
BSI Advisories2h ago
[NEU] [hoch] SAP Patch Day Juli 2026
→ No new info (linked only)
Tier D
Heise Security4h ago
SAP-Patchday: Teils kritische Sicherheitslücken in mehreren Produkten gefixt
→ No new info (linked only)
Tier B
CERT-FR26d ago
Multiples vulnérabilités dans les produits Atlassian (18 juin 2026)
→ No new info (linked only)
Tier B
BSI Advisories27d ago
[NEU] [hoch] Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira und Jira Service Management: Mehrere Schwachstellen
→ No new info (linked only)
Tier B
CERT-FR62d ago
Multiples vulnérabilités dans Apache Tomcat (13 mai 2026)
→ No new info (linked only)
Tier C
VulDB62d ago
CVE-2026-41293 | Apache Tomcat up to 11.0.21 input validation
→ No new info (linked only)
Tier C
oss-security62d ago
CVE-2026-41293: Apache Tomcat: HTTP/2 request headers not validated
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
org.apache.tomcat.embed:tomcat-embed-core@9.0.118org.apache.tomcat.embed:tomcat-embed-core@10.1.55org.apache.tomcat.embed:tomcat-embed-core@11.0.22org.apache.tomcat:tomcat@9.0.118org.apache.tomcat:tomcat@10.1.55org.apache.tomcat:tomcat@11.0.22org.apache.tomcat:tomcat-catalina@9.0.118org.apache.tomcat:tomcat-catalina@10.1.55org.apache.tomcat:tomcat-catalina@11.0.22
CWECWE-20
PublishedMay 12, 2026
Last enriched62d agov3
Tags
CVE-2026-41293
Trending Score88
Source articles7
Independent5
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-43515EXP
Apache Tomcat: Security constraints not correctly applied
Trending: 78
HIGHCVE-2026-40860EXP
Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
Trending: 74
CRITICALCVE-2026-43512
Apache Tomcat: Digest authenticator will authenticate any unknown user
Trending: 68
HIGHCVE-2026-59245EXP
Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Trending: 62
HIGHCVE-2026-58065EXP
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Trending: 62

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 12, 2026
Discovered by ZDM
May 12, 2026
Updated: severity, affectedVersions, exploitAvailable, activelyExploited
May 12, 2026
Updated: severity, tags
May 12, 2026
Actively Exploited
May 14, 2026
Exploit Available
May 14, 2026
Patch Available
May 14, 2026

Version History

v3
Last enriched 62d ago
v3Tier C62d ago

Updated severity to CRITICAL and added CVE ID CVE-2026-41293.

severitytags
via VulDB
v2Tier C62d ago

Updated severity to LOW, added affected version 8.5.100, and marked exploit availability and active exploitation as true.

severityaffectedVersionsexploitAvailableactivelyExploited
via oss-security
v162d ago

Initial creation