Improper Neutralization of HTML Tags in Apache Tomcat Web Application
CVE-2026-50229

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-50229?

An improper neutralization issue in the number guess example of Apache Tomcat enables cross-site scripting (XSS). This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. It's crucial for developers and system administrators to ensure that web applications are safeguarded against such exploits by upgrading to the recommended versions, which address the problem and improve overall application security.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.22

Apache Tomcat 10.1.0-M1 <= 10.1.55

Apache Tomcat 9.0.0.M1 <= 9.0.118

References

https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqp...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Erichen, Institute of Computing Technology, Chinese Academy of Sciences

Yashar Shahinzadeh

Amirmohammad Safari

CVE-2026-50229 Data

JSON