[CIVN-2026-0355] Multiple Vulnerabilities in Apache Tomcat

By Published On: July 6, 2026

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256


Multiple Vulnerabilities in Apache Tomcat


Indian – Computer Emergency Response Team (https://www.cert-in.org.in)



Severity Rating: HIGH


Software Affected


Apache Tomcat 9 versions prior to 9.0.119

Apache Tomcat 10.1 versions prior to 10.1.56

Apache Tomcat 11 versions prior to 11.0.23

Overview


Multiple vulnerabilities have been reported in Apache Tomcat, which could allow a remote attacker to perform cross-site scripting, bypass security restrictions, elevate privileges, or gain unauthorized access to protected resources on the affected system.


Target Audience:

All end-user organizations and individuals responsible for maintaining and updating Apache Tomcat.


Risk Assessment:

Risk of cross-site scripting, authentication bypass, privilege escalation, security restriction bypass, and unauthorized access to protected resources.


Impact Assessment:

Potential for sensitive information disclosure and system compromise.


Description


Apache Tomcat is an open-source web server and servlet container that runs Java-based web applications.


Multiple vulnerabilities have been identified in Apache Tomcat due to improper input validation, improper authorization, improper authentication, insufficient enforcement of security constraints, and Incorrect Control Flow Implementation in various components.


Successful exploitation of these vulnerabilities could allow a remote attacker to perform cross-site scripting, bypass security restrictions, elevate privileges, or gain unauthorized access to protected resources on the affected system.


Solution


Apply appropriate security updates as mentioned in the Apache Tomcat Security Updates:

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.119


https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.56


https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.23



Vendor Information


Apache Tomcat

https://tomcat.apache.org/


References


Apache Tomcat

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.119

https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.56

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.23


CVE Name

CVE-2026-50229

CVE-2026-53404

CVE-2026-53434

CVE-2026-55276

CVE-2026-55955

CVE-2026-55956




– —


Thanks and Regards,

CERT-In


Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS


Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–


iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpLwWcACgkQ3jCgcSdc

ys/cbw/+ImPeg3XZXShjeFu9YWNXv2w2X/hRdYUkWpya9gvhtqd9VYjZbavQ5BuC

Q6DERV6QJoel276a/vamOqQEhnOI4YyFzK7oHhWG1XpgNDxgJxAVOBqWSm9F5IFE

5pr/GzVTLo/ROT+e7o053TPmA1f0okwBJQZexat01qY9Xe0oHrj4l1m9xkpPUpdi

VjlYOBBpdZPk3SFQzjDb8mwABYItyzFNaYB21tF/wBjSYsx/QHitvSld4qUbx76f

ZA/LjTlv4+7thoxYAvFtSwB/QiMxfc/JzFxH3kQ3u6yQafKGa+5hDiy9kduWW3uX

1W+bm6uVVDdh1XhbvkUx+xEBzi3poFseGcDL4/FdWiAG09kJRZlMswGa9MHe8oE1

vSUWaId4Wyda74JG6YmZFFxqfTxh4dl7k/GdySmww7Sn1L5614tM/FBRluOu+sfA

ncGUchYY/kN4rBiqp+lWpx8iB5kj8lDJZOgIWqFJbdPdZH0RKC3nsDBDlI2+xpOq

VfWGAN7QKbnY0/OiLY8d8SlmedYbz2rxuxP6hmEzuO1/BdYTF6mN8DZBZJkugppN

RZ9SHWM1wfPArN4xI8qOAhjjnt0b3OJYSoPQqNbPbxpt2SZvjiE9kpcLLiYhCRML

sMUPM5b33umbdr3ViA2f2Q9zzxwDV67YOtXiDdHz+f6fx4Y7O04=

=ZqKg

—–END PGP SIGNATURE—–

Share this article