Vulnerability in Apache Software Foundation Tomcat

CVE-2026-24880

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.002 (38.9th percentile) — read the EPSS interpretation.