CVE-2026-43515CRITICAL 9.1EPSS p32.9%

CVE-2026-43515CVE-2026-43515

Description

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.41% probability of exploitation · percentile 32.9% · 2026-06-19T12:03:05Z
Published2026-05-12
Last modified2026-05-15

Underlying weaknesses· 1

CWE-285

References

  1. https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb
  2. http://www.openwall.com/lists/oss-security/2026/05/12/11

1

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41293
CVE
CVE-2025-31651
CVE
CVE-2026-43512
CVE
CVE-2025-66614
CVE
CVE-2026-29145
CVE
Apache Tomcat Path Equivalence Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.