oss-sec mailing list archives
CVE-2026-32990: Apache Tomcat: Fix for CVE-2025-66614 is incomplete
From: Mark Thomas <markt () apache org>
Date: Thu, 9 Apr 2026 20:49:44 +0100
Severity: moderate Affected versions: - Apache Tomcat 11.0.15 through 11.0.19 - Apache Tomcat 10.1.50 through 10.1.52 - Apache Tomcat 9.0.113 through 9.0.115 Description:Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.
This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Credit: zhengg (finder) References: https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7 https://tomcat.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-32990
Current thread:
- CVE-2026-32990: Apache Tomcat: Fix for CVE-2025-66614 is incomplete Mark Thomas (Apr 09)
