PULSE
LIVE18signals / 24h
FEED
ransomqilin reclama a AK Preparedness · Business Servicesransomthreeam reclama a tws-tac.net · DE · Not Foundransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technologyransomincransom reclama a D.MAG New Material Technology Co., Ltd. Taiwan Giant · TW · Manufacturingransomincransom reclama a vedan corp · VN · Agriculture and Food Productionransomincransom reclama a reatile.co.za · ZA · Not Foundransomincransom reclama a V&P Nurseries · US · Agriculture and Food Productionransomqilin reclama a Powder River Heating & Air Conditioning · US · Consumer Servicesransomqilin reclama a Droguería Martorani · AR · Consumer Servicesransomthegentlemen reclama a Military Sealift Command · US · Transportation/Logisticsransomthegentlemen reclama a Advantage Home Health Care · US · Healthcareransomthegentlemen reclama a Sunway Scientific · TW · Manufacturingransomqilin reclama a Cafar · AR · Agriculture and Food Productionransomqilin reclama a AK Preparedness · Business Servicesransomthreeam reclama a tws-tac.net · DE · Not Foundransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technologyransomincransom reclama a D.MAG New Material Technology Co., Ltd. Taiwan Giant · TW · Manufacturingransomincransom reclama a vedan corp · VN · Agriculture and Food Productionransomincransom reclama a reatile.co.za · ZA · Not Foundransomincransom reclama a V&P Nurseries · US · Agriculture and Food Productionransomqilin reclama a Powder River Heating & Air Conditioning · US · Consumer Servicesransomqilin reclama a Droguería Martorani · AR · Consumer Servicesransomthegentlemen reclama a Military Sealift Command · US · Transportation/Logisticsransomthegentlemen reclama a Advantage Home Health Care · US · Healthcareransomthegentlemen reclama a Sunway Scientific · TW · Manufacturingransomqilin reclama a Cafar · AR · Agriculture and Food Production
← All CVEs
CVE WatchJul 15, 2026

CVE-2026-24734

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's F

CVSS

7.5

High

EPSS

0.5%

p39

KEV

Exploit Today

12

0-100

Published: Feb 17, 2026 · Last modified: Jul 15, 2026 · CWE-20 · CWE-295

EPSS · 30d
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
Technical description

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-341978.8 HIG
99.9%
KEV80Apache ActiveMQ Improper Input Validation Vulnerability3d
CVE-2026-125699.8 CRI
66.0%
KEV70PTC Windchill and FlexPLM Improper Input Validation Vulnerability18d
CVE-2023-278239.8 CRI
98.9%
30An authentication bypass in Optoma 1080PSTX C02 allows an attacker to access the administration console without valid credentials.9d
CVE-2025-607877.2 HIG
97.0%
29MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.13d
CVE-2017-149197.5 HIG
94.3%
28Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.4d
CVE-2026-482849.6 CRI
94.1%
28ColdFusion is affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.3d