{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32990", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-17T13:55:48.216Z", "datePublished": "2026-04-09T19:23:49.618Z", "dateUpdated": "2026-04-10T18:39:25.498Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.19", "status": "affected", "version": "11.0.15", "versionType": "semver"}, {"lessThanOrEqual": "10.1.52", "status": "affected", "version": "10.1.50", "versionType": "semver"}, {"lessThanOrEqual": "9.0.115", "status": "affected", "version": "9.0.113", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "zhengg"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.</p><p>This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.</p>"}], "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:23:49.618Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: Fix for CVE-2025-66614 is incomplete", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:38:40.304932Z", "id": "CVE-2026-32990", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:39:25.498Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32990", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:38:40.304932Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:37:37.403Z"}}], "cna": {"title": "Apache Tomcat: Fix for CVE-2025-66614 is incomplete", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "zhengg"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.15", "versionType": "semver", "lessThanOrEqual": "11.0.19"}, {"status": "affected", "version": "10.1.50", "versionType": "semver", "lessThanOrEqual": "10.1.52"}, {"status": "affected", "version": "9.0.113", "versionType": "semver", "lessThanOrEqual": "9.0.115"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.</p><p>This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:23:49.618Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32990", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:39:25.498Z", "dateReserved": "2026-03-17T13:55:48.216Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:23:49.618Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "id": "CVE-2026-32990", "lastModified": "2026-04-10T19:16:22.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:24.810", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix", "id": "2457025", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457025"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-184", "details": ["A flaw was found in Apache Tomcat. This improper input validation vulnerability stems from an incomplete fix for a previous security issue (CVE-2025-66614). This flaw may allow an attacker to bypass security controls or cause unexpected behavior within the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-32990", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:23:49Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32990\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32990\nhttps://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"], "statement": "Moderate impact. This improper input validation vulnerability in Apache Tomcat, stemming from an incomplete fix for CVE-2025-66614, affects Red Hat JBoss Web Server and Red Hat Enterprise Linux. An attacker could exploit this flaw to bypass security controls or induce unexpected application behavior.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.15,11.0.19]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.50,10.1.52]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.113,9.0.115]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "apache_tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T20:50:59.154376+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to version 11.0.20 or later", "Upgrade to 10.1.53 or later", "Upgrade to 9.0.116 or later", "Verify that the installed Tomcat instance has applied the upgrade"], "summary": {"action": "Assess", "impact": "Potential for unintended behavior due to improper input validation"}, "threat_synthesis": {"affected_systems": "Affected versions include Apache Tomcat 11.x from 11.0.15 up to 11.0.19, 10.x from 10.1.50 to 10.1.52, and 9.x from 9.0.113 to 9.0.115. All installations running these releases are potentially impacted.", "description_and_impact": "Apache Tomcat contains an improper input validation issue stemming from an incomplete patch of a prior vulnerability. The flaw allows malformed input to be processed without adequate checks, which could lead to unexpected behavior or data tampering when the application handles such input. The associated weakness is CWE\u201120.", "risk_and_exploitability": "The CVSS score is not publicly disclosed, and no EPSS data is available, so the exact severity and exploitation probability remain uncertain. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known active exploitation. Based on the description, the likely attack vector involves sending crafted HTTP requests to the server, making it a remote endpoint\u2011facing risk."}}}}, "created": "2026-04-10T08:38:54.559272+00:00", "updated": "2026-04-10T09:29:39.214450+00:00", "vendors": ["apache", "apache$PRODUCT$apache_tomcat"]}