Back to overview

CVE-2026-59083

Description
Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.

Metadata

CVE ID
CVE-2026-59083
State
PUBLISHED
Assigner
apache
Reserved
2026-07-02 10:39 UTC
Published
2026-07-14 08:13 UTC
Last updated
2026-07-14 10:33 UTC
Primary CWE
CWE-177
CWE-177 Improper Handling of URL Encoding (Hex Encoding)
Vendor / Product
Apache Software Foundation / Apache Tomcat
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Apache Software Foundation Apache Tomcat 11.0.0-M1 ≤ 11.0.23, 10.1.0-M1 ≤ 10.1.56, 9.0.0.M1 ≤ 9.0.119, 8.5.0 ≤ 8.5.100 …
Weakness (CWE)
CWESourceDescription
CWE-177 cna CWE-177 Improper Handling of URL Encoding (Hex Encoding)
Back to overview