CVE-2026-24880

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M1 through 9.0.115, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109

Description An inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') exists in Apache Tomcat due to an invalid chunk extension. This can potentially allow an attacker to smuggle requests, leading to unexpected behavior or security breaches.

Recommendations Upgrade to version 11.0.20 Upgrade to version 10.1.52 Upgrade to version 9.0.116

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

BDU:2026-06932

BIT-TOMCAT-2026-24880

CVE-2026-24880

GHSA-563X-Q5RQ-57QP

MGASA-2026-0095

OESA-2026-1970

OPENSUSE-SU-2026:10547-1

OPENSUSE-SU-2026:10548-1

OPENSUSE-SU-2026:10549-1

OPENSUSE-SU-2026:20595-1

OPENSUSE-SU-2026:20611-1

OPENSUSE-SU-2026:20612-1

SUSE-SU-2026:1558-1

SUSE-SU-2026:1572-1

SUSE-SU-2026:1603-1

SUSE-SU-2026:1604-1

Affected Products

Apache Tomcat

Confluence

Red Os

CVE-2026-24880

Weakness Enumeration

Related Identifiers

Affected Products

References · 98