vulnerability

Apache Tomcat: Low: Incomplete escaping of JSON access logs (CVE-2026-34483)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:C/I:N/A:N)	Apr 10, 2026	Apr 10, 2026	Apr 13, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Published

Apr 10, 2026

Added

Apr 10, 2026

Modified

Apr 13, 2026

Description

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Solutions

apache-tomcat-upgrade-10_1_54apache-tomcat-upgrade-11_0_21apache-tomcat-upgrade-9_0_117

References

CVE-2026-34483
https://attackerkb.com/topics/CVE-2026-34483
CWE-116
EUVD-EUVD-2026-21053
http://tomcat.apache.org/security-10.html
http://tomcat.apache.org/security-11.html
http://tomcat.apache.org/security-9.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-21053

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report