oss-sec mailing list archives

CVE-2026-32990: Apache Tomcat: Fix for CVE-2025-66614 is incomplete


From: Mark Thomas <markt () apache org>
Date: Thu, 9 Apr 2026 20:49:44 +0100

Severity: moderate

Affected versions:

- Apache Tomcat 11.0.15 through 11.0.19
- Apache Tomcat 10.1.50 through 10.1.52
- Apache Tomcat 9.0.113 through 9.0.115

Description:

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Credit:

zhengg (finder)

References:

https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-32990


Current thread: