Security Update Advisory for Apache Tomcat Vulnerabilities in June
A security update addressing a vulnerability in Apache Tomcat has been released.
- Affected versions include Apache Tomcat 9.0.83–9.0.118, Apache Tomcat 9.0.13–9.0.118, Apache Tomcat 9.0.0.M1–9.0.118, Apache Tomcat 11.0.0-M1–11.0.22, Apache Tomcat 10.1.0-M7–10.1.55, And Apache Tomcat 10.1.0-M1–10.1.55.
- The vulnerabilities addressed include a bypass of default servlet security restrictions (CVE-2026-55956), a vulnerability in the FFM (Feature Connection Module) connector related to CRL validation errors (CVE-2026-53434), a XSS vulnerability (where malicious scripts are injected into web pages) (CVE-2026-50229), RewriteValve “ornext” processing error vulnerability (CVE-2026-53404), missing valid Web.Xml logging information vulnerability (CVE-2026-55276), and a replay attack vulnerability in the EncryptInterceptor (CVE-2026-55955).
- The Apache Tomcat security advisory was published on June 29, 2026.
- Users should update to the latest version: Apache Tomcat 9.0.119, Apache Tomcat 11.0.23, And Apache Tomcat 10.1.56.