Zero Day MonitorZDM

← Back to list

—

CVE-2026-41293EXPLOITEDPATCHED

apache · tomcat

Apache Tomcat: HTTP/2 request headers not validated

Description

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Affected Products

Vendor	Product	Versions
apache	tomcat	11.0.0-M1, 10.1.0-M1, 9.0.0.M1, 10.0.0-M1, 8.5.0, 8.5.100

References

https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r(vendor-advisory)

Related News (3 articles)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans Apache Tomcat (13 mai 2026)

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-41293 | Apache Tomcat up to 11.0.21 input validation

→ No new info (linked only)

Tier C

oss-security2d ago

CVE-2026-41293: Apache Tomcat: HTTP/2 request headers not validated

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r

CWECWE-20

PublishedMay 12, 2026

Last enriched1d agov3

Tags

CVE-2026-41293

Trending Score52

Source articles3

Independent3

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

CRITICALCVE-2026-43515EXP

Apache Tomcat: Security constraints not correctly applied

NONECVE-2026-41284EXP

Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

NONECVE-2026-42498EXP

Apache Tomcat: WebSocket authentication header exposure

HIGHCVE-2026-29129EXP

Apache Tomcat: TLS cipher order is not preserved

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 12, 2026

Discovered by ZDM

May 12, 2026

Actively Exploited

May 12, 2026

Exploit Available

May 12, 2026

Patch Available

May 12, 2026

Updated: severity, affectedVersions, exploitAvailable, activelyExploited

May 12, 2026

Updated: severity, tags

May 12, 2026

Version History

v3

Last enriched 1d ago

v3Tier C1d ago

Updated severity to CRITICAL and added CVE ID CVE-2026-41293.

severitytags

via VulDB

v2Tier C1d ago

Updated severity to LOW, added affected version 8.5.100, and marked exploit availability and active exploitation as true.

severityaffectedVersionsexploitAvailableactivelyExploited

via oss-security

v11d ago

Initial creation