CVE-2026-50229
Publication date 29 June 2026
Last updated 16 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tomcat6 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| tomcat7 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| tomcat8 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Fixed 8.5.39-1ubuntu1~18.04.3+esm6
|
|
| 16.04 LTS xenial |
Fixed 8.0.32-1ubuntu1.13+esm2
|
|
| tomcat9 | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| tomcat10 | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| tomcat11 | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
ebarretto
xenial tomcat6 only builds libservlet2.5-java, not the Tomcat server binaries bionic tomcat7 only builds libservlet3.0-java, not the Tomcat server binaries
Severity score breakdown
CVSS version: CVSS v3.0
Base score
6.1 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8551-1
- Tomcat vulnerabilities
- 15 July 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-50229
- https://github.com/apache/tomcat/commit/1fe95d841e9d461a16069974142d12c3ef68819a (11.0.23)
- https://github.com/apache/tomcat/commit/0d5bdd5b0dd964e9f73e530b7d753462b9bfd1d0 (10.1.56)
- https://github.com/apache/tomcat/commit/de5a950415fc67713f17fab63d0c7809e0fca80b (9.0.119)
- https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0
- http://www.openwall.com/lists/oss-security/2026/06/29/20