Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2811 articles · 175088 vulns · 37/41 feeds (7d)
← Back to list
9.1
CVE-2026-43515EXPLOITEDPATCHED
apache · tomcat

Apache Tomcat: Security constraints not correctly applied

Description

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Affected Products

VendorProductVersions
apachetomcat11.0.0-M1, 10.1.0-M1, 9.0.0.M1, 8.5.0, 7.0.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
atlassianbamboocert_advisory90%
atlassiancruciblecert_advisory90%
atlassianbitbucketcert_advisory90%
atlassianfisheyecert_advisory90%
atlassianjiracert_advisory90%

References

  • https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb(vendor-advisory)

Related News (7 articles)

Tier B
BSI Advisories2h ago
[NEU] [hoch] SAP Patch Day Juli 2026
→ No new info (linked only)
Tier D
Heise Security4h ago
SAP-Patchday: Teils kritische Sicherheitslücken in mehreren Produkten gefixt
→ No new info (linked only)
Tier B
CERT-FR26d ago
Multiples vulnérabilités dans les produits Atlassian (18 juin 2026)
→ No new info (linked only)
Tier B
BSI Advisories27d ago
[NEU] [hoch] Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira und Jira Service Management: Mehrere Schwachstellen
→ No new info (linked only)
Tier B
CERT-FR62d ago
Multiples vulnérabilités dans Apache Tomcat (13 mai 2026)
→ No new info (linked only)
Tier C
VulDB62d ago
CVE-2026-43515 | Apache Tomcat up to 11.0.21 improper authorization
→ No new info (linked only)
Tier C
oss-security62d ago
CVE-2026-43515: Apache Tomcat: Security constraints not correctly applied
→ No new info (linked only)
CVSS 3.19.1 NONE
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
org.apache.tomcat.embed:tomcat-embed-core@9.0.118org.apache.tomcat.embed:tomcat-embed-core@10.1.55org.apache.tomcat.embed:tomcat-embed-core@11.0.22org.apache.tomcat:tomcat@9.0.118org.apache.tomcat:tomcat@10.1.55org.apache.tomcat:tomcat@11.0.22org.apache.tomcat:tomcat-catalina@9.0.118org.apache.tomcat:tomcat-catalina@10.1.55org.apache.tomcat:tomcat-catalina@11.0.22
CWECWE-285
PublishedMay 12, 2026
Last enriched62d agov3
Trending Score78
Source articles7
Independent5
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-41293EXP
Apache Tomcat: HTTP/2 request headers not validated
Trending: 88
HIGHCVE-2026-40860EXP
Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
Trending: 73
CRITICALCVE-2026-43512
Apache Tomcat: Digest authenticator will authenticate any unknown user
Trending: 68
HIGHCVE-2026-59245EXP
Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Trending: 61
HIGHCVE-2026-58065EXP
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Trending: 61

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 12, 2026
Discovered by ZDM
May 12, 2026
Updated: severity, patchAvailable
May 12, 2026
Updated: severity, activelyExploited
May 12, 2026
Actively Exploited
Jun 4, 2026
Patch Available
Jun 4, 2026

Version History

v3
Last enriched 62d ago
v3Tier C62d ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited
via VulDB
v2Tier C62d ago

Updated severity from NONE to MEDIUM and corrected patch available version to 11.0.22.

severitypatchAvailable
via oss-security
v162d ago

Initial creation