CVE-2026-41284 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-9.0.37.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /OPENAPI-REST-API/swagger-client/spring/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.37/tomcat-embed-core-9.0.37.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.16.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.16.RELEASE.jar
- ❌ tomcat-embed-core-9.0.37.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Publish Date: 2026-05-12
URL: CVE-2026-41284
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.118
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2026-41284 - High Severity Vulnerability
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /OPENAPI-REST-API/swagger-client/spring/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.37/tomcat-embed-core-9.0.37.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Publish Date: 2026-05-12
URL: CVE-2026-41284
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.118
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
Step up your Open Source Security Game with Mend here