Apache Tomcat 6 · Version Status

Apache Tomcat 6 End of Life Date

Q: When does Apache Tomcat 6 reach end of life?

Apache Tomcat 6 reached end of life on December 31, 2016. This version is no longer receiving security patches.

Q: What should I upgrade to from Apache Tomcat 6?

The recommended upgrade from Apache Tomcat 6 is Apache Tomcat 11.0 — the latest actively supported version. Check the Apache Tomcat full timeline for all supported versions.

Apache Tomcat 6 end-of-life date, support status, and CVE risk. Data from endoflife.date and official vendor documentation.

EOL Date

Dec 31, 2016

3461 days past EOL

Latest Release

6.0.53

Standard release

Release Date

Oct 21, 2006

Apache Tomcat 6 series

← Apache Tomcat 5 All Apache Tomcat versions Apache Tomcat 7 →

Critical Risk

EOL Risk Score™ How is this calculated? →

EOL Recency

40/40

Attack Surface

20/30 High tier

CISA KEV Exposure

20/20 Yes — CISA KEV

Extended Support

0/10 Available

EOL Risk Score™ — proprietary methodology by endoflife.ai. Factors: EOL recency, attack surface breadth, CISA KEV catalog presence, extended support availability. Updated at every build. Methodology → · View score card →

Recommended upgrade path

Apache Tomcat 11.0

Latest release: 11.0.23 · EOL: Supported

View full Apache Tomcat timeline →

Extended Support

Extended Apache Tomcat 6 support is available

Commercial vendors offer security patches beyond EOL — compare your options.

Compare Options →

All Apache Tomcat Versions

Version	Latest	EOL Date	Status
5	5.5.36	Sep 30, 2012	EOL
→ 6	6.0.53	Dec 31, 2016	EOL
7	7.0.109	Mar 31, 2021	EOL
8.0	8.0.53	Jun 30, 2018	EOL
8.5	8.5.100	Mar 31, 2024	EOL
9.0	9.0.119	Mar 31, 2027	Active
10.0	10.0.27	Oct 31, 2022	EOL
10.1	10.1.56	EOL	Active

What does Apache Tomcat 6 end of life mean?

When Apache Tomcat 6 reaches end of life, the maintainers stop issuing security patches for this version. CVEs discovered after the EOL date are publicly disclosed on the National Vulnerability Database with no patch available. Exploit code frequently appears on GitHub within days of disclosure.

The CVE blind spot: Most vulnerability scanners check for known CVEs but do not flag the ongoing accumulation of unpatched vulnerabilities in EOL software versions. Running Apache Tomcat 6 past its EOL date creates a permanently growing attack surface that standard security tooling will not surface.

Migrate to Apache Tomcat 11.0 or implement compensating controls — network segmentation, enhanced monitoring, restricted access — while migration is underway.

Frequently Asked Questions

When does Apache Tomcat 6 reach end of life?

Apache Tomcat 6 reached end of life on December 31, 2016. This version is no longer receiving security patches.

Is Apache Tomcat 6 still supported?

No. Apache Tomcat 6 reached end of life on December 31, 2016 and is no longer receiving security patches.

What should I upgrade to from Apache Tomcat 6?

The recommended upgrade from Apache Tomcat 6 is Apache Tomcat 11.0 — the latest actively supported version. Check the Apache Tomcat full timeline for all supported versions.

What are the security risks of running Apache Tomcat 6 past EOL?

When Apache Tomcat 6 reaches end of life, the maintainers stop issuing security patches. Any CVEs disclosed after the EOL date accumulate with no remediation path. Most vulnerability scanners do not flag this — it is the CVE blind spot. Organizations running EOL Apache Tomcat should migrate immediately or implement compensating controls.

Data from endoflife.date API · Generated at build time · How we source data →