Apache Tomcat ↗
Apache · Web / Runtime
100/100 Healthy
Summary iPlain-English security verdict for Apache Tomcat, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Apache Tomcat currently scores 100/100 — healthy. 6 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2020-1938) — staying on the latest supported version keeps you clear of them. The latest supported release is 11.0.22. It's on the latest patch with no significant known issues — keep it current.
Disclosure trend iNew CVEs published for Apache Tomcat each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
'19
'20
'21
'22
'23
'24
'25
'26
⚠ 1 of its known vulnerability is linked to ransomware campaigns (CISA KEV).
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2020-1938 CRITICAL ● exploited EPSS 94% → fixed in 9.0.31 CVE-2023-44487 HIGH ● exploited Uncontrolled resource consumption EPSS 94% → see advisory CVE-2017-12617 HIGH ● exploited Unrestricted file upload EPSS 94% → fixed in 9.0.1 CVE-2017-12615 HIGH ● exploited ⚠ ransomware Unrestricted file upload EPSS 94% → see advisory CVE-2025-24813 CRITICAL ● exploited CWE-44 EPSS 94% → fixed in 11.0.3 CVE-2016-8735 CRITICAL ● exploited EPSS 94% → fixed in 8.5.7 CVE-2019-0232 HIGH OS command injection EPSS 94% → see advisory CVE-2020-9484 HIGH Insecure deserialization EPSS 93% → fixed in 9.0.43 CVE-2008-2938 MEDIUM Path traversal EPSS 93% → see advisory CVE-2014-0050 HIGH CWE-264 EPSS 93% → see advisory CVE-2020-13935 HIGH CWE-835 EPSS 92% → see advisory CVE-2017-12616 HIGH Information disclosure EPSS 91% → see advisoryVersions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each Apache Tomcat release line is supported — and when it sunsets.
11.0 latest 11.0.22 Supported
10.1 latest 10.1.55 Supported
10.0 latest 10.0.27 End of life ended 2022-10-31
9.0 latest 9.0.118 Supported until 2027-03-31
8.5 latest 8.5.100 End of life ended 2024-03-31
8.0 latest 8.0.53 End of life ended 2018-06-30
7 latest 7.0.109 End of life ended 2021-03-31
6 latest 6.0.53 End of life ended 2016-12-31
5 latest 5.5.36 End of life ended 2012-09-30
See all upcoming end-of-life dates →