{"api_version":"1","generated_at":"2026-04-11T00:01:38+00:00","cve":"CVE-2026-24880","urls":{"html":"https://cve.report/CVE-2026-24880","api":"https://cve.report/api/cve/CVE-2026-24880.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-24880","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-24880"},"summary":{"title":"Apache Tomcat: Request smuggling via invalid chunk extension","description":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.","state":"PUBLISHED","assigner":"apache","published_at":"2026-04-09 20:16:24","updated_at":"2026-04-10 19:16:21"},"problem_types":["CWE-444","CWE-444 CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}}],"references":[{"url":"https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn","name":"https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn","refsource":"security@apache.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2026/04/09/20","name":"http://www.openwall.com/lists/oss-security/2026/04/09/20","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-24880","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24880","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"affected 11.0.0-M1 11.0.18 semver","platforms":[]},{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"affected 10.1.0-M1 10.1.52 semver","platforms":[]},{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"affected 9.0.0.M1 9.0.115 semver","platforms":[]},{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"affected 8.5.0 8.5.100 semver","platforms":[]},{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"affected 7.0.0 7.0.109 semver","platforms":[]},{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"unknown 7.0.0 semver","platforms":[]},{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"unknown 8.0.0-RC1 8.0.53 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Xclow3n","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"24880","cve":"CVE-2026-24880","epss":"0.000180000","percentile":"0.048720000","score_date":"2026-04-10","updated_at":"2026-04-11 00:00:33"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-04-09T23:15:44.782Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/04/09/20"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-24880","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-10T18:33:19.886460Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-10T18:33:49.308Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Tomcat","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"11.0.18","status":"affected","version":"11.0.0-M1","versionType":"semver"},{"lessThanOrEqual":"10.1.52","status":"affected","version":"10.1.0-M1","versionType":"semver"},{"lessThanOrEqual":"9.0.115","status":"affected","version":"9.0.0.M1","versionType":"semver"},{"lessThanOrEqual":"8.5.100","status":"affected","version":"8.5.0","versionType":"semver"},{"lessThanOrEqual":"7.0.109","status":"affected","version":"7.0.0","versionType":"semver"},{"lessThan":"7.0.0","status":"unknown","version":"0","versionType":"semver"},{"lessThanOrEqual":"8.0.53","status":"unknown","version":"8.0.0-RC1","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Xclow3n"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.<br>Other, unsupported versions may also be affected.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.</p>"}],"value":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue."}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-444","description":"CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-09T19:12:10.730Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Tomcat: Request smuggling via invalid chunk extension","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2026-24880","datePublished":"2026-04-09T19:12:10.730Z","dateReserved":"2026-01-27T18:06:58.294Z","dateUpdated":"2026-04-10T18:33:49.308Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-09 20:16:24","lastModifiedDate":"2026-04-10 19:16:21","problem_types":["CWE-444","CWE-444 CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"24880","Ordinal":"1","Title":"Apache Tomcat: Request smuggling via invalid chunk extension","CVE":"CVE-2026-24880","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"24880","Ordinal":"1","NoteData":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.","Type":"Description","Title":"Apache Tomcat: Request smuggling via invalid chunk extension"}]}}}