Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-34483EXPLOITEDPATCHED

apache · tomcat

Apache Tomcat: Incomplete escaping of JSON access logs

Description

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Affected Products

Vendor	Product	Versions
apache	tomcat	11.0.0-M1, 10.1.0-M1, 9.0.40, 8.5.84, 8.5.100

References

https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b(vendor-advisory)

Related News (2 articles)

Tier C

oss-security7h ago

CVE-2026-34483: Apache Tomcat: Incomplete escaping of JSON access logs

→ No new info (linked only)

Tier C

VulDB9h ago

CVE-2026-34483 | Apache Tomcat up to 8.5.82/8.5.100/9.0.116/10.1.53/11.0.20 JsonAccessLogValve escape output

→ No new info (linked only)

CVSS 3.17.5 LOW

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

0

CWECWE-116

PublishedApr 9, 2026

Last enriched6h agov3

Trending Score51

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXP

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

HIGHCVE-2026-34486EXP

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

HIGHCVE-2026-27314EXP

Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

HIGHCVE-2025-62188EXP

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

LOWCVE-2026-34487EXP

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity, cvssEstimate, cweIds, activelyExploited

Apr 9, 2026

Actively Exploited

Apr 9, 2026

Patch Available

Apr 9, 2026

Updated: severity, affectedVersions

Apr 9, 2026

Version History

v3

Last enriched 6h ago

v3Tier C6h ago

Updated severity to LOW, added affected version 8.5.100, and clarified that versions 8.5.83 and below are unaffected.

severityaffectedVersions

via oss-security

v2Tier C9h ago

Updated description with new details, changed severity to HIGH, set CVSS estimate to 7.5, and noted that no exploit is available.

descriptionseveritycvssEstimatecweIdsactivelyExploited

via VulDB

v19h ago

Initial creation