Security Update Advisory for Apache Tomcat Vulnerabilities in June

Security Update Advisory for Apache Tomcat Vulnerabilities in June

A security update addressing a vulnerability in Apache Tomcat has been released.

  • Affected versions include Apache Tomcat 9.0.83–9.0.118, Apache Tomcat 9.0.13–9.0.118, Apache Tomcat 9.0.0.M1–9.0.118, Apache Tomcat 11.0.0-M1–11.0.22, Apache Tomcat 10.1.0-M7–10.1.55, And Apache Tomcat 10.1.0-M1–10.1.55.
  • The vulnerabilities addressed include a bypass of default servlet security restrictions (CVE-2026-55956), a vulnerability in the FFM (Feature Connection Module) connector related to CRL validation errors (CVE-2026-53434), a XSS vulnerability (where malicious scripts are injected into web pages) (CVE-2026-50229), RewriteValve “ornext” processing error vulnerability (CVE-2026-53404), missing valid Web.Xml logging information vulnerability (CVE-2026-55276), and a replay attack vulnerability in the EncryptInterceptor (CVE-2026-55955).
  • The Apache Tomcat security advisory was published on June 29, 2026.
  • Users should update to the latest version: Apache Tomcat 9.0.119, Apache Tomcat 11.0.23, And Apache Tomcat 10.1.56.