Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve

GHSA-rv64-5gf8-9qq8 · BIT-tomcat-2026-34483 · CVE-2026-34483

Published Apr 9, 2026 · Modified Apr 16, 2026

Description

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Packages

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.54, 11.0.21, 9.0.116

Introduced 10.1.0-M1, 11.0.0-M1, 9.0.40

165 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +145 more

Maven/org.apache.tomcat:tomcat

Fix 10.1.54, 11.0.21, 9.0.116

Introduced 10.1.0-M1, 11.0.0-M1, 9.0.40

165 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +145 more

Maven/org.apache.tomcat:tomcat-catalina

Fix 10.1.54, 11.0.21, 9.0.116

Introduced 10.1.0-M1, 11.0.0-M1, 9.0.40

165 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +145 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes