Description
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
Published: 2026-04-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Improper Output Encoding
Action: Patch
AI Analysis

Impact

The vulnerability stems from incomplete escaping of JSON data in the JsonAccessLogValve component of Apache Tomcat. When client requests contain untrusted input that is recorded to JSON access logs, that input is written without proper encoding. An attacker could embed crafted JSON structures or script fragments that, when later viewed by an administrator or through a log‑viewer interface, may trigger cross‑site scripting, injection or even execution of code in the context of the logging application. The impact is primarily information disclosure and potential compromise of the logging platform, and potentially the web tier that displays those logs.

Affected Systems

This flaw affects Apache Tomcat releases 9.0.40 through 9.0.116, 10.1.0‑M1 through 10.1.53, and 11.0.0‑M1 through 11.0.20. The affected component is the JsonAccessLogValve used for writing JSON‑formatted access logs.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is below 1%, so widespread exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to send crafted requests that are logged and to subsequently gain read access to the log files or to a log‑viewing interface. For environments that expose log files to the web or rely on shared log viewer applications, the risk can be higher. Tier‑1 organizations should monitor for unusual log activity and apply the recommended patch promptly.

Generated by OpenCVE AI on April 14, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to the latest supported release: 9.0.117, 10.1.54, or 11.0.21, which contain the fix for JsonAccessLogValve encoding.
  • If an upgrade is not immediately possible, restrict read/write access to the JSON access log location to trusted administrative users only and avoid exposing log files via the web.
  • Verify that no untrusted data is being written to logs by disabling or sanitizing verbose logging for untrusted request parameters until a patch can be applied.

Generated by OpenCVE AI on April 14, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rv64-5gf8-9qq8 Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
History

Tue, 14 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-838
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Low

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Fri, 10 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
Title Apache Tomcat: Incomplete escaping of JSON access logs
Weaknesses CWE-116
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T20:17:38.858Z

Reserved: 2026-03-30T07:40:44.705Z

Link: CVE-2026-34483

cve-icon Vulnrichment

Updated: 2026-04-09T23:15:53.097Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:24.937

Modified: 2026-04-14T12:46:39.530

Link: CVE-2026-34483

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-09T19:30:28Z

Links: CVE-2026-34483 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:49Z

Weaknesses