Apache Tomcat: Unauthenticated Code Execution via Malicious HTTP Request

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Apache Tomcat: Unauthenticated Code Execution via Malicious HTTP Request

ROOT-APP-MAVEN-CVE-2026-24880

Summary

Apache Tomcat users should update to a patched version to prevent an attacker from executing arbitrary code with elevated privileges via a specially crafted HTTP request. This vulnerability can lead to data theft, system compromise, and other malicious activities. Update to the latest version of io.root.org.apache.tomcat.embed:tomcat-embed-core to fix this issue.

What to do

Update io.root.org.apache.tomcat.embed:tomcat-embed-core to version 10.1.39-root.io.6.
Update io.root.org.apache.tomcat.embed:tomcat-embed-core to version 10.1.39-root.io.8.
Update io.root.org.apache.tomcat.embed:tomcat-embed-core to version 10.1.39-root.io.9.
Update io.root.org.apache.tomcat.embed:tomcat-embed-core to version 10.1.39-root.io.10.

Affected software

Ecosystem	Vendor	Product	Affected versions
Root:Maven	–	io.root.org.apache.tomcat.embed:tomcat-embed-core	< 10.1.39-root.io.6 < 10.1.39-root.io.8 < 10.1.39-root.io.9 < 10.1.39-root.io.10 Fix: upgrade to 10.1.39-root.io.6

Original title

CVE-2026-24880 in io.root.org.apache.tomcat.embed:tomcat-embed-core - Patched by Root

Original description

Root has patched CVE-2026-24880 in the io.root.org.apache.tomcat.embed:tomcat-embed-core package for Root:Maven. Multiple fixed versions available.

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 14 Apr 2026