VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Apr 9, 2026· Updated Apr 14, 2026

CVE-2026-25854

CVE-2026-25854

Description

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcat-catalinaMaven
>= 8.5.30, < 9.0.1169.0.116
org.apache.tomcat:tomcat-catalinaMaven
>= 10.1.0-M1, < 10.1.5310.1.53
org.apache.tomcat:tomcat-catalinaMaven
>= 11.0.0-M1, < 11.0.2011.0.20
org.apache.tomcat:tomcatMaven
>= 8.5.30, < 9.0.1169.0.116
org.apache.tomcat:tomcatMaven
>= 10.1.0-M1, < 10.1.5310.1.53
org.apache.tomcat:tomcatMaven
>= 11.0.0-M1, < 11.0.2011.0.20
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.5.30, < 9.0.1169.0.116
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 10.1.0-M1, < 10.1.5310.1.53
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 11.0.0-M1, < 11.0.2011.0.20

Affected products

6
  • Apache/Tomcat6 versions
    cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*range: >=9.0.1,<9.0.116
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.