CVE-2026-34483

Summary

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat11.0.0-M1 <= 11.0.20affected
Apache Software FoundationApache Tomcat10.1.0-M1 <= 10.1.53affected
Apache Software FoundationApache Tomcat9.0.40 <= 9.0.116affected
Apache Software FoundationApache Tomcat8.5.84 <= 8.5.100affected
Apache Software FoundationApache Tomcat0 <= 8.5.83unaffected

Weaknesses

  • CWE-116: CWE-116 Improper Encoding or Escaping of Output

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References