Vulnerability in Apache Software Foundation Tomcat
CVE-2026-29146
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 throu…
EPSS: 0.129 (94.2th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Tomcat — versions 11.0.0-M1, 10.0.0-M1, 9.0.13
References
- lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w (vendor-advisory)