PT-2026-57992 · Apache · Apache Tomcat

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-59083

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.23 Apache Tomcat versions 10.1.0-M1 through 10.1.56 Apache Tomcat versions 9.0.0.M1 through 9.0.119 Apache Tomcat versions 8.5.0 through 8.5.100
Description Improper handling of URL encoding (Hex Encoding) in the rewrite valve allows a security constraint bypass for certain configurations.
Recommendations Upgrade versions 11.0.0-M1 through 11.0.23 to 11.0.24. Upgrade versions 10.1.0-M1 through 10.1.56 to 10.1.57. Upgrade versions 9.0.0.M1 through 9.0.119 to 9.0.120.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59083

Affected Products

Apache Tomcat