What does upgrading Apache Tomcat 7.0.109 to 9.0.118 fix?

Upgrading Apache Tomcat from 7.0.109 to 9.0.118 clears 9 known vulnerabilities (3 critical, 5 high), including 1 under active exploitation (CISA KEV). No tracked issues remain in 9.0.118.

← Apache Tomcat

Apache Tomcat: 7.0.109 → 9.0.118

Apache · upgrade impact · Official site ↗

From7.0.1099 known issues To9.0.1180 known issues

Fixed by upgrading to 9.0.118 iVulnerabilities that affect 7.0.109 but no longer affect 9.0.118 — the security gain from this upgrade, by exploited status then exploitation probability.

Exploited first, then by exploitation probability (EPSS).

CVE-2025-24813 CRITICAL ● exploited EPSS 94% ✓ cleared in 9.0.118 CVE-2026-29146 HIGH EPSS 13% ✓ cleared in 9.0.118 CVE-2020-8022 HIGH EPSS 0% ✓ cleared in 9.0.118 CVE-2026-43512 CRITICAL EPSS 0% ✓ cleared in 9.0.118 CVE-2026-43514 LOW EPSS 0% ✓ cleared in 9.0.118 CVE-2026-43515 CRITICAL EPSS 0% ✓ cleared in 9.0.118 CVE-2026-43513 HIGH EPSS 0% ✓ cleared in 9.0.118 CVE-2026-41284 HIGH EPSS 0% ✓ cleared in 9.0.118 CVE-2026-42498 HIGH EPSS 0% ✓ cleared in 9.0.118