CVE-2026-34483

Name	CVE-2026-34483
Description	Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1133356, 1133357

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
tomcat10 (PTS)	bookworm	10.1.34-0+deb12u2	vulnerable
	bookworm (security)	10.1.52-1~deb12u1	vulnerable
	trixie (security), trixie	10.1.52-1~deb13u1	vulnerable
	forky, sid	10.1.54-1	fixed
tomcat11 (PTS)	trixie (security), trixie	11.0.15-1~deb13u1	vulnerable
	forky, sid	11.0.21-1	fixed
tomcat9 (PTS)	bullseye	9.0.43-2~deb11u10	vulnerable
	bullseye (security)	9.0.107-0+deb11u2	fixed
	bookworm	9.0.70-2	fixed
	trixie	9.0.95-1	fixed
	forky, sid	9.0.115-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
tomcat10	source	(unstable)	10.1.54-1	1133356
tomcat11	source	(unstable)	11.0.21-1	1133357
tomcat9	source	(unstable)	9.0.70-2

Notes

Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
Fixed by: https://github.com/apache/tomcat/commit/f9ddc24fcfcdfaea4a6953198d8636aca3e957bc (11.0.21)
Fixed by: https://github.com/apache/tomcat/commit/f22dc2ce6cfda8609ed86816c0d78e1a9cbadb06 (10.1.54)
Fixed by: https://github.com/apache/tomcat/commit/97566842589d0b80de138ca719378861fd017d68 (9.0.117)
https://www.openwall.com/lists/oss-security/2026/04/09/26