CVE-2026-34483

CVE-2026-34483: Apache Tomcat: Incomplete escaping of JSON access logs

Vendor Apache Software Foundation

Product Apache Tomcat

Weakness CWE-116

Published April 9, 2026

Last update April 10, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Key dates

Disclosure timeline

April 9, 2026 CVE published

April 10, 2026 Record updated

Identifiers

CVE CVE-2026-34483

CWE CWE-116

Affected versions

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 11.0.0-M1 and ≤ 11.0.20

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 10.1.0-M1 and ≤ 10.1.53

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 9.0.40 and ≤ 9.0.116

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 8.5.84 and ≤ 8.5.100