CVE-2026-32990 PUBLISHED

Apache Tomcat: Fix for CVE-2025-66614 is incomplete

Assigner: apache
Reserved: 17.03.2026 Published: 09.04.2026 Updated: 09.04.2026

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Product Status

Vendor Apache Software Foundation
Product Apache Tomcat
Versions Default: unaffected
  • affected from 11.0.15 to 11.0.19 (incl.)
  • affected from 10.1.50 to 10.1.52 (incl.)
  • affected from 9.0.113 to 9.0.115 (incl.)

Credits

  • zhengg finder

References

Problem Types

  • CWE-20 Improper Input Validation CWE