PT-2026-57992 · Apache · Apache Tomcat
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-59083
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 11.0.0-M1 through 11.0.23
Apache Tomcat versions 10.1.0-M1 through 10.1.56
Apache Tomcat versions 9.0.0.M1 through 9.0.119
Apache Tomcat versions 8.5.0 through 8.5.100
Description
Improper handling of URL encoding (Hex Encoding) in the rewrite valve allows a security constraint bypass for certain configurations.
Recommendations
Upgrade versions 11.0.0-M1 through 11.0.23 to 11.0.24.
Upgrade versions 10.1.0-M1 through 10.1.56 to 10.1.57.
Upgrade versions 9.0.0.M1 through 9.0.119 to 9.0.120.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Tomcat