Vulnerability DatabaseCVE-2026-24880
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-24880
Published:April 09, 2026
Updated:April 20, 2026
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
Affected Packages
https://github.com/apache/tomcat.git (GITHUB):
Affected version(s) >=9.0.0-M1 <9.0.116
Fix Suggestion:
Update to version 9.0.116
https://github.com/apache/tomcat.git (GITHUB):
Affected version(s) >=11.0.0-M1 <11.0.20
Fix Suggestion:
Update to version 11.0.20
https://github.com/apache/tomcat.git (GITHUB):
Affected version(s) >=10.1.0-M1 <10.1.53
Fix Suggestion:
Update to version 10.1.53
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.116
Fix Suggestion:
Update to version 9.0.116
org.apache.tomcat:tomcat-coyote (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.53
Fix Suggestion:
Update to version 10.1.53
org.apache.tomcat:tomcat-tribes (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.52
Fix Suggestion:
Update to version 10.1.52
org.apache.tomcat:tomcat-tribes (JAVA):
Affected version(s) >=7.0.0 <9.0.116
Fix Suggestion:
Update to version 9.0.116
org.apache.tomcat:tomcat-coyote (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.20
Fix Suggestion:
Update to version 11.0.20
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.20
Fix Suggestion:
Update to version 11.0.20
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.53
Fix Suggestion:
Update to version 10.1.53
org.apache.tomcat:tomcat-tribes (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.20
Fix Suggestion:
Update to version 11.0.20
org.apache.tomcat:tomcat-coyote (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.116
Fix Suggestion:
Update to version 9.0.116
Related ResourcesĀ (14)
https://github.com/apache/tomcat
https://nvd.nist.gov/vuln/detail/CVE-2026-24880
https://github.com/apache/tomcat/commit/2cb06c34f661ca42f7570bbcc21e99806184bcc5
https://github.com/apache/tomcat/commit/fde1a8235fb73125217bd41e162aa0a113f33552
https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn
https://www.herodevs.com/vulnerability-directory/cve-2026-24880
https://github.com/apache/tomcat/commit/1b586d6aa8ae65726da5fa8799427b5d4718478a
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
https://github.com/apache/tomcat/commit/f07df938d00f7419b40fa65aa912966d0efac522
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
https://github.com/apache/tomcat/commit/1e71441a15972f56e661b0b549fb9e5d838b83bb
http://www.openwall.com/lists/oss-security/2026/04/09/20
https://github.com/apache/tomcat/commit/6d478dbe18b7c4bb671c30fedf130309b0dab77c
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-444
EPSS
Base Score:
0.21