{"schema_version":"1.7.2","id":"OESA-2026-2949","modified":"2026-07-09T12:54:20Z","published":"2026-07-09T12:54:20Z","upstream":["CVE-2026-50229","CVE-2026-53404","CVE-2026-53434","CVE-2026-55276","CVE-2026-55955","CVE-2026-55956","CVE-2026-55957"],"summary":"tomcat security update","details":"Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.\r\n\r\nSecurity Fix(es):\n\nImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.(CVE-2026-50229)\n\nAlways-Incorrect Control Flow Implementation vulnerability in Apache Tomcat&apos;s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.(CVE-2026-53404)\n\nDetection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.(CVE-2026-53434)\n\nAlways-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.(CVE-2026-55276)\n\nImproper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.(CVE-2026-55955)\n\nImproper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.(CVE-2026-55956)\n\nMissing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.(CVE-2026-55957)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.119-1.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.119-1.oe2403sp1.noarch.rpm","tomcat-help-9.0.119-1.oe2403sp1.noarch.rpm","tomcat-jsvc-9.0.119-1.oe2403sp1.noarch.rpm"],"src":["tomcat-9.0.119-1.oe2403sp1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2949"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50229"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53404"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53434"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55276"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55955"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55956"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55957"}],"database_specific":{"severity":"Critical"}}
