CVE-2026-50229

Cross-Site Scripting
Affects
Apache Tomcat
in
Apache Tomcat
No items found.
Versions
>= 7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

Overview

Apache Tomcat is an open-source web server and servlet container, maintained by the Apache Software Foundation, that implements the Jakarta Servlet, Jakarta Pages (JSP), Jakarta Expression Language, and Jakarta WebSocket specifications and provides a pure-Java HTTP environment for running Java web applications.

A cross-site scripting vulnerability (CVE-2026-50229) has been identified in the bundled examples web application's "number guess" demo, which allows attackers to inject and reflect arbitrary script into a victim's browser session through unfiltered request parameters.

Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

This issue affects the bundled examples web application shipped with Apache Tomcat, a sample application intended for evaluation that is typically not deployed in production. The vulnerable code is not part of any core servlet-container library module.

Details

Module Info

  • Product: Apache Tomcat
  • Affected packages: The bundled examples web application (sample app shipped in the Apache Tomcat distribution, not a published Maven library artifact)
  • Affected versions: >= 7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
  • GitHub repository: https://github.com/apache/tomcat
  • Published packages: The examples web application ships inside the Apache Tomcat binary distribution; it is not published as a standalone org.apache.tomcat Maven coordinate.
  • Package manager: Maven
  • Fixed in:

Vulnerability Info

This Low-severity vulnerability is found in the bundled examples web application in the affected versions of Apache Tomcat. The "number guess" demo JSP at webapps/examples/jsp/num/numguess.jsp binds the session-scoped num.NumberGuessBean to incoming request parameters with a wildcard property mapping:

<jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/>
<jsp:setProperty name="numguess" property="*"/>

The property="*" form instructs the JSP container to call a matching setter for every request parameter, so an attacker can populate any writable bean property, including hint, rather than only the intended guess value. The same page later renders the hint property back into the response without escaping:

Good guess, but nope.  Try <b><%= numguess.getHint() %></b>.

Because the bean is session-scoped, a request such as numguess.jsp?guess=5&hint=<script>...</script> writes the attacker-controlled value through setHint(String), and the next render of the page reflects it unescaped into the HTML body, executing the injected script in the victim's browser. The example is unauthenticated and requires no special server configuration beyond the examples web application being deployed and reachable.

This vulnerability has been present since at least Apache Tomcat 7.0 and likely earlier.

Steps to Reproduce

1. Deploy a build of Apache Tomcat in the affected range with the bundled examples web application available (the default /examples/ context).

2. Send a request that supplies both the expected guess parameter and an extra script-bearing parameter that maps to the bean's hint property, for example:

GET /examples/jsp/num/numguess.jsp?guess=5&hint=<script>alert(document.cookie)</script>

3. Because the wildcard property mapping binds hint onto the session bean, the response renders the injected markup unescaped inside the Try <b>...</b> text, and the script executes in the browser.

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Apache Tomcat.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Erichen from the Institute of Computing Technology, Chinese Academy of Sciences (finder)
  • Yashar Shahinzadeh (finder)
  • Amirmohammad Safari (finder)
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-50229
PROJECT Affected
Apache Tomcat
Versions Affected
>= 7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
NES Versions Affected
Published date
July 1, 2026
≈ Fix date
Category
Cross-Site Scripting
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Tomcat
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.