DEBIAN-CVE-2026-24733

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-24733

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-24733

Upstream

CVE-2026-24733

Downstream

DSA-6120-1

DSA-6121-1

Published

2026-02-17T19:21:56.820Z

Modified

2026-03-12T09:00:12.784743Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.

References

https://security-tracker.debian.org/tracker/CVE-2026-24733

Affected packages

Debian:11

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Affected versions

9.*

9.0.43-1

9.0.43-2~deb11u1

9.0.43-2~deb11u2

9.0.43-2~deb11u3

9.0.43-2~deb11u4

9.0.43-2~deb11u5

9.0.43-2~deb11u6

9.0.43-2~deb11u7

9.0.43-2~deb11u8

9.0.43-2~deb11u9

9.0.43-2~deb11u10

9.0.43-2~deb11u11

9.0.43-2~deb11u12

9.0.43-2

9.0.43-3

9.0.53-1

9.0.54-1

9.0.55-1

9.0.58-1

9.0.62-1

9.0.63-1

9.0.64-1

9.0.64-2

9.0.65-1

9.0.67-1

9.0.68-1

9.0.68-1.1

9.0.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

Debian:12

tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.52-1~deb12u1

Affected versions

10.*

10.1.6-1

10.1.6-1+deb12u1

10.1.6-1+deb12u2

10.1.7-1

10.1.8-1

10.1.9-1

10.1.10-1

10.1.13-1

10.1.14-1

10.1.15-1

10.1.16-1

10.1.20-1

10.1.23-1

10.1.25-1~bpo12+1

10.1.25-1

10.1.25-2

10.1.30-1~bpo12+1

10.1.30-1

10.1.31-1

10.1.33-1~bpo12+1

10.1.33-1

10.1.34-0+deb12u1

10.1.34-0+deb12u2

10.1.34-1

10.1.35-1

10.1.40-1~bpo12+1

10.1.40-1

10.1.46-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

Debian:13

tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.52-1~deb13u1

Affected versions

10.*

10.1.40-1

10.1.46-1

10.1.52-1~deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

tomcat11

Package

Name: tomcat11
Purl: pkg:deb/debian/tomcat11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.0.15-1~deb13u1

Affected versions

11.*

11.0.6-1

11.0.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

Debian:14

tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.52-1

Affected versions

10.*

10.1.40-1

10.1.46-1

10.1.52-1~deb12u1

10.1.52-1~deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

tomcat11

Package

Name: tomcat11
Purl: pkg:deb/debian/tomcat11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.0.15-1

Affected versions

11.*

11.0.6-1

11.0.11-1

11.0.15-1~deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24733.json"