Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3474 articles · 175721 vulns · 37/41 feeds (7d)
← Back to list
9.1
CVE-2026-59083EXPLOITEDPATCHED
apache software foundation · apache tomcat

Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass

Description

Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.

Affected Products

VendorProductVersions
apache software foundationapache tomcat11.0.0-M1, 10.1.0-M1, 9.0.0.M1, 8.5.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apachetomcatcert_advisory90%

References

  • https://lists.apache.org/thread/3g63zos2gkjo5vgnrk8kxmosv47w6wbq(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories6h ago
[NEU] [mittel] Apache Tomcat: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
oss-security8h ago
CVE-2026-59083: Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass
→ No new info (linked only)
Tier C
VulDB9h ago
CVE-2026-59083 | Apache Tomcat up to 11.0.23/10.1.56/9.0.119/8.5.100 Rewrite Valve encoding error
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
11.0.24
CWECWE-177
PublishedJul 14, 2026
Last enriched3h agov3
Tags
CVE-2026-59083
Trending Score78
Source articles3
Independent3
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-59084EXP
Apache Tomcat: EncryptInterceptor requirements not clearly documented
Trending: 78
MEDIUMCVE-2026-52760
Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console
Trending: 34
NONECVE-2026-49098
Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic
Trending: 17
NONECVE-2026-49365
Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Trending: 17
NONECVE-2026-49099
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Trending: 17

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 14, 2026
Discovered by ZDM
Jul 14, 2026
Updated: severity, patchAvailable
Jul 14, 2026
Updated: description, severity, activelyExploited, tags
Jul 14, 2026
Actively Exploited
Jul 14, 2026
Patch Available
Jul 14, 2026

Version History

v3
Last enriched 3h ago
v3Tier C8h ago

Updated severity to HIGH, added CVE-2026-59083, and clarified exploit availability.

descriptionseverityactivelyExploitedtags
via VulDB
v2Tier C8h ago

Updated severity from NONE to LOW and specified the fixed version as 11.0.24.

severitypatchAvailable
via oss-security
v19h ago

Initial creation