Zero Day MonitorZDM

← Back to list

—

CVE-2026-43515EXPLOITEDPATCHED

apache · tomcat

Apache Tomcat: Security constraints not correctly applied

Description

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Affected Products

Vendor	Product	Versions
apache	tomcat	11.0.0-M1, 10.1.0-M1, 9.0.0.M1, 8.5.0, 7.0.0

References

https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb(vendor-advisory)

Related News (3 articles)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans Apache Tomcat (13 mai 2026)

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-43515 | Apache Tomcat up to 11.0.21 improper authorization

→ No new info (linked only)

Tier C

oss-security2d ago

CVE-2026-43515: Apache Tomcat: Security constraints not correctly applied

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

11.0.22

CWECWE-285

PublishedMay 12, 2026

Last enriched1d agov3

Trending Score52

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

CRITICALCVE-2026-41293EXP

Apache Tomcat: HTTP/2 request headers not validated

NONECVE-2026-41284EXP

Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

NONECVE-2026-42498EXP

Apache Tomcat: WebSocket authentication header exposure

HIGHCVE-2026-29129EXP

Apache Tomcat: TLS cipher order is not preserved

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 12, 2026

Actively Exploited

May 12, 2026

Patch Available

May 12, 2026

Discovered by ZDM

May 12, 2026

Updated: severity, patchAvailable

May 12, 2026

Updated: severity, activelyExploited

May 12, 2026

Version History

v3

Last enriched 1d ago

v3Tier C1d ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited

via VulDB

v2Tier C1d ago

Updated severity from NONE to MEDIUM and corrected patch available version to 11.0.22.

severitypatchAvailable

via oss-security

v11d ago

Initial creation