Apache Tomcat
Moderate fix4 remedies
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*, +1 more
Moderate fix4 remedies
- >= 9.0.0.M1, <= 9.0.0
- >= 8.5.0, <= 8.5.22
- >= 8.0.0.RC1, <= 8.0.46
- >= 7.0.0, <= 7.0.81
Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
Apache Tomcat Remote Code Execution Vulnerability via JSP Upload
Vulnerability
Exploited
Patched
A remote code execution vulnerability has been identified in Apache Tomcat versions 9.0.0.M1 prior to 9.0.0, 8.5.0 prior to 8.5.23, 8.0.0.RC1 prior to 8.0.47, and 7.0.0 prior to 7.0.82. When HTTP PUT requests were enabled, it was possible to upload a JSP file to the server through a specially crafted request. The uploaded JSP file could then be accessed, and any code it contained would be executed by the server.
Impact
Exploitation of this vulnerability allows for remote code execution on the server.
Reproduction
To reproduce this vulnerability, upload a JSP file to a vulnerable Tomcat server with HTTP PUT requests enabled. This can be done by sending a crafted HTTP PUT request that includes the JSP file. Once the file is uploaded, it can be accessed through the server, and any code within the JSP file will be executed.
Remediation
Users should upgrade to Apache Tomcat 9.0.1 or later, 8.5.23 or later, 8.0.47 or later, or 7.0.82 or later.
Added: Mar 16, 2026, 8:24 PM
Updated: Mar 16, 2026, 8:24 PM
Vulnerability Rating
Custom Algorithm
spread
8.8impact
10.0exploitability
10.0remediation
7.7relevance
0.0threat
9.9urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.