GHSA-mgp5-rv84-w37q · Severity: high · Ecosystem: maven — Apache Tomcat has an Improper Input Validation vulnerability
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
Conclusion & alert: CVE-2026-24734 is rated Low Risk (34.4/100): CVSS High severity, with low exploitation likelihood (EPSS 0.22%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.10% | 0.22% | +0.12% |
| 2 | 2026-03-12 | 0.02% | 0.10% | +0.08% |
| 3 | 2026-02-18 | — | 0.02% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.4 | 3.1 | HIGH |
|
2.2 | 5.2 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-mgp5-rv84-w37q · Severity: high · Ecosystem: maven — Apache Tomcat has an Improper Input Validation vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-24734 not yet assigned priority: Debian including 3 source packages (tomcat10, tomcat11, tomcat9), 12 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 12. | https://security-tracker.debian.org/tracker/CVE-2026-24734 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2026-24734 |
suse
|
medium | CVE-2026-24734 severity moderate: SUSE including 121 source package names (13.2-9.10:gpg2-2.4.4-5.1, 2.1.3-6.51:gpg2-2.4.4-5.1, …), 429 product×package rows across 54 product lines (Container suse/manager/5.0/x86_64/server, Container suse/sl-micro/6.0/baremetal-os-container, … (54 product lines)): Fixed 360, Known Not Affected 36, First Fixed 33. | https://www.suse.com/security/cve/CVE-2026-24734/ |
ubuntu
|
medium | CVE-2026-24734 medium priority: Ubuntu including 6 source packages (tomcat10, tomcat11, tomcat6, tomcat7, tomcat8, tomcat9), 37 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): needs-triage 18, DNE 16, ignored 3. | https://ubuntu.com/security/CVE-2026-24734 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | tomcat | >= 9.0.83, < 9.0.115 | cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* |
| apache | tomcat | >= 10.1.1, < 10.1.52 | cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* |
| apache | tomcat | >= 11.0.1, < 11.0.18 | cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:* |
| apache | tomcat | 10.1.0 | cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:* |
| apache | tomcat | 11.0.0 | cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:* |
| apache | tomcat_native | >= 1.3.0, < 1.3.5 | cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:* |
| apache | tomcat_native | >= 2.0.0, < 2.0.12 | cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml | Issue Tracking Mailing List Vendor Advisory |