...
This FAQ section provides help with some security-related issues. If you hear of a vulnerability or its exploitation, please let us know on the security@tomcat.apache.org <<MailTo(security AT tomcat DOT apache DOT org)>> mailing list.
The Record
There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue. There have been no documented cases of data loss or application crashes caused by an intruder. While there have been numerous analyses conducted on Tomcat, partially because this is easy to do with Tomcat's source code openly available, there have been only theoretical vulnerabilities found. All of those were addressed even though there were no documented cases of actual exploitation of these vulnerabilities.
...