CVE-2026-34483 PUBLISHED

Apache Tomcat: Incomplete escaping of JSON access logs

Assigner: apache
Reserved: 30.03.2026 Published: 09.04.2026 Updated: 09.04.2026

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Product Status

Vendor Apache Software Foundation
Product Apache Tomcat
Versions Default: unaffected
  • affected from 11.0.0-M1 to 11.0.20 (incl.)
  • affected from 10.1.0-M1 to 10.1.53 (incl.)
  • affected from 9.0.40 to 9.0.116 (incl.)
  • affected from 8.5.84 to 8.5.100 (incl.)
  • unaffected from 0 to 8.5.83 (incl.)

Credits

  • Bartlomiej Dmitruk, striga.ai finder

References

Problem Types

  • CWE-116 Improper Encoding or Escaping of Output CWE