{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34483", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-30T07:40:44.705Z", "datePublished": "2026-04-09T19:30:28.874Z", "dateUpdated": "2026-04-10T20:17:38.858Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.20", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.53", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.116", "status": "affected", "version": "9.0.40", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.84", "versionType": "semver"}, {"lessThanOrEqual": "8.5.83", "status": "unaffected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk, striga.ai"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.</p>"}], "value": "Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:30:28.874Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: Incomplete escaping of JSON access logs", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/26"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:53.097Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:16:32.864927Z", "id": "CVE-2026-34483", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:17:38.858Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/26"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:53.097Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34483", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:16:32.864927Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:15:20.161Z"}}], "cna": {"title": "Apache Tomcat: Incomplete escaping of JSON access logs", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk, striga.ai"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.20"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.53"}, {"status": "affected", "version": "9.0.40", "versionType": "semver", "lessThanOrEqual": "9.0.116"}, {"status": "affected", "version": "8.5.84", "versionType": "semver", "lessThanOrEqual": "8.5.100"}, {"status": "unaffected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.5.83"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:30:28.874Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34483", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:17:38.858Z", "dateReserved": "2026-03-30T07:40:44.705Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:30:28.874Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue."}], "id": "CVE-2026-34483", "lastModified": "2026-04-10T21:16:24.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:24.937", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/26"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve", "id": "2457044", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457044"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-838", "details": ["A flaw was found in the JsonAccessLogValve component of Apache Tomcat. This improper encoding or escaping of output vulnerability could allow an attacker to inject specially crafted data into log files. This could lead to information disclosure or other unintended consequences when the logs are processed or viewed."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-34483", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:30:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34483\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34483\nhttps://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b"], "statement": "Low impact. A flaw in the Apache Tomcat JsonAccessLogValve component allows for improper encoding of output. This could enable an attacker to inject specially crafted data into log files, potentially leading to information disclosure or other unintended consequences during log processing. This affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10.", "threat_severity": "Low"}