CVE-2026-50229

EUVD-2026-40226

29.06.2026, 21:16

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Basic XSS

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
apache	CNA	UNKNOWN				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
apache	tomcat	𝑥 ≤ 11.0.22	CNA
apache	tomcat	𝑥 ≤ 10.1.55	CNA
apache	tomcat	9.0.0.M1 ≤ 𝑥 ≤ 9.0.118	CNA
apache	tomcat	8.5.0 ≤ 𝑥 ≤ 8.5.100	CNA
apache	tomcat	7.0.0 ≤ 𝑥 ≤ 7.0.109	CNA

Common Weakness Enumeration

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

References

https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0

http://www.openwall.com/lists/oss-security/2026/06/29/20