CVE-2026-50229 - Vulnerability Details - OpenCVE

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Tomcat

unaffected

Version	Status	Constraints
`11.0.0-M1`	affected	≤ 11.0.22
`10.1.0-M1`	affected	≤ 10.1.55
`9.0.0.M1`	affected	≤ 9.0.118
`8.5.0`	affected	≤ 8.5.100
`7.0.0`	affected	≤ 7.0.109
`0`	unknown	< 7.0.0

No data.

No data.

No data.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0

History

Mon, 29 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Title		Apache Tomcat: XSS in number guess example
Weaknesses		CWE-80
References		https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-29T20:36:24.683Z

Updated: 2026-06-29T20:37:30.642Z

Reserved: 2026-06-04T09:39:23.609Z

Link: CVE-2026-50229

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-80

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50229", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-06-04T09:39:23.609Z", "datePublished": "2026-06-29T20:36:24.683Z", "dateUpdated": "2026-06-29T20:37:30.642Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.22", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.55", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.118", "status": "affected", "version": "9.0.0.M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.0", "versionType": "semver"}, {"lessThanOrEqual": "7.0.109", "status": "affected", "version": "7.0.0", "versionType": "semver"}, {"lessThan": "7.0.0", "status": "unknown", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Erichen, Institute of Computing Technology, Chinese Academy of Sciences"}, {"lang": "en", "type": "finder", "value": "Yashar Shahinzadeh"}, {"lang": "en", "type": "finder", "value": "Amirmohammad Safari"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.</p><p>Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-29T20:37:30.642Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: XSS in number guess example", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}