CVE-2026-34483

CWE-116 CWE-8388 documents7 sources

Severity

7.5HIGH

No vector

EPSS

0.0%

top 91.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat

Timeline

PublishedApr 9

Latest updateApr 10

Description

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Affected Packages4 packages

▶Mavenorg.apache.tomcat:tomcat9.0.40 — 9.0.116+2

▶Mavenorg.apache.tomcat:tomcat-catalina9.0.40 — 9.0.116+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.40 — 9.0.116+2

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M1 — 11.0.20+3

🔴Vulnerability Details

CVEList

Apache Tomcat: Incomplete escaping of JSON access logs↗2026-04-09

▶

GHSA

Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve↗2026-04-09

▶

GHSA

GHSA-rv64-5gf8-9qq8: Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat↗2026-04-09

▶

VulDB

Apache Tomcat up to 8.5.82/8.5.100/9.0.116/10.1.53/11.0.20 JsonAccessLogValve escape output↗2026-04-09

▶

📋Vendor Advisories

Red Hat

Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve↗2026-04-09

▶

💬Community

Bugzilla

CVE-2026-34483 tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-34483 Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve↗2026-04-09

▶