Description
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f
Scores
CVSS v3
7.5
EPSS
0.0024
EPSS Percentile
14.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-327
Status
published
Products (14)
apache/tomcat
9.0.114 - 9.0.116
Apache Software Foundation/Apache Tomcat
10.1.51 - 10.1.52
Apache Software Foundation/Apache Tomcat
11.0.16 - 11.0.18
Apache Software Foundation/Apache Tomcat
9.0.114 - 9.0.115
org.apache.tomcat/tomcat
10.1.51 - 10.1.53Maven
org.apache.tomcat/tomcat
11.0.16 - 11.0.20Maven
org.apache.tomcat/tomcat
9.0.114 - 9.0.116Maven
org.apache.tomcat/tomcat-catalina
9.0.114 - 9.0.116Maven
org.apache.tomcat/tomcat-coyote
10.1.51 - 10.1.53Maven
org.apache.tomcat/tomcat-coyote
11.0.16 - 11.0.20Maven
... and 4 more
Published
Apr 09, 2026
Tracked Since
Apr 10, 2026