CVE-2026-41284

Public on 2026-05-12
Modified on 2026-06-26
Description
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.4
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core tomcat Pending Fix
Amazon Linux 2 - Tomcat8.5 Extra tomcat No Fix Planned
Amazon Linux 2 - Tomcat9 Extra tomcat 2026-06-08 ALAS2TOMCAT9-2026-026 Fixed
Amazon Linux 2023 tomcat10 2026-06-08 ALAS2023-2026-1776 Fixed
Amazon Linux 2023 tomcat9 2026-06-08 ALAS2023-2026-1770 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H