Multiple vulnerabilities in Apache Tomcat (June 30, 2026)
Multiple vulnerabilities have been discovered in Apache Tomcat. Some of them allow an attacker to cause remote indirect code injection (XSS), security policy bypass, and an unspecified security issue by the vendor.
CSIRTS triage
- What
- Multiple vulnerabilities allow an attacker to cause remote indirect code injection, security policy bypass, and an unspecified security issue.
- Who is affected
- Deployments of Apache Tomcat are affected.
- Urgency
- Remediation is urgent due to the potential for exploitation, although the severity is currently unknown.
- Action
- Users should apply the necessary updates as soon as they are available.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Tomcat
Get an email when a new Tomcat advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0817/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-552760.37% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 29% of all scored CVEs.
- Low exploitation riskCVE-2026-502290.42% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 34% of all scored CVEs.
- Low exploitation riskCVE-2026-559560.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
- Low exploitation riskCVE-2026-559550.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 20% of all scored CVEs.
- Low exploitation riskCVE-2026-534340.37% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 29% of all scored CVEs.
- Low exploitation riskCVE-2026-534040.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55276 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-50229 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-55956 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-55955 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-53434 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-53404 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- medium[UPDATE] [medium] Apache Tomcat: Multiple vulnerabilitiescert-bund
- unknownApache Tomcat Multiple Vulnerabilitieshkcert
- mediumCVE-2026-55956: Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified …nvd
- mediumCVE-2026-55955: Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the Enc…nvd
- criticalCVE-2026-55276: Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special…nvd
- criticalCVE-2026-53434: Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CR…nvd
- highCVE-2026-53404: Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve me…nvd
- mediumCVE-2026-50229: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in…nvd
Recent advisories for Apache Tomcat
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- medium[UPDATE] [medium] Apache Tomcat and Tomcat Native: Multiple vulnerabilitiescert-bund · 2026-07-10
- medium[UPDATE] [medium] Apache Tomcat: Multiple vulnerabilitiescert-bund · 2026-07-09
- high[UPDATE] [high] Apache Tomcat: Multiple vulnerabilitiescert-bund · 2026-07-02
- unknownApache Tomcat Multiple Vulnerabilitieshkcert · 2026-07-02
- highCVE-2026-55957: Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was …nvd · 2026-06-29
- mediumCVE-2026-55956: Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified …nvd · 2026-06-29
More from CERT-FR Avis de sécurité
- unknownMultiple vulnerabilities in Red Hat Linux kernel (July 10, 2026)2026-07-10
- unknownMultiple vulnerabilities in Ubuntu Linux kernel (July 10, 2026)2026-07-10
- unknownMultiple vulnerabilities in Progress MOVEit Transfer (July 10, 2026)2026-07-10
- unknownVulnerability in NetApp ONTAP 9 (July 10, 2026)2026-07-10
- unknownVulnerability in CPython (July 10, 2026)2026-07-10