Is Applications Manager affected by Tomcat vulnerability CVE-2025-46701?

Applications Manager 9.4 and above

While you can still upgrade Tomcat to the latest version on 9.4.x and 9.5.x, CGI servlet is disabled by default in Tomcat application which we used to ship in 9.4.x and 9.5.x, hence it is not vulnerable

If needed, refer to Upgrading or updating Tomcat.

For version 9.6's integrated webserver, Applications Manager is using Tomcat core library which is unaffected.