PatchSiren cyber security CVE debrief
CVE-2026-59083 Apache Software Foundation CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.483Z and has not been modified since then. This Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allows security constraint bypass for some configurations. Affected versions include Apache Tomcat 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.0.M1 through 9.0.119, and 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
- Vendor
- Apache Software Foundation
- Product
- Apache Tomcat
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of Apache Tomcat versions from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100, and other versions that have reached end of support. Security teams and operators managing Apache Tomcat deployments should review the vulnerability details and plan for necessary upgrades or mitigations.
Technical summary
The Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects multiple versions of Apache Tomcat across different branches, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.0.M1 through 9.0.119, and 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue. The vulnerability has been publicly disclosed and may be targeted by attackers.
Defensive priority
High priority for users of affected Apache Tomcat versions due to potential security constraint bypass. Immediate review and remediation are recommended to prevent potential security incidents.
Recommended defensive actions
- Upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue
- Review and update configurations for security constraints
- Monitor for potential security incidents related to this vulnerability
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence from official CVE and NVD sources indicate vulnerability in Apache Tomcat's rewrite valve. Limited details available on exploitability and affected scope. Defenders should verify configurations, review security constraints, and monitor for potential security incidents related to this vulnerability. Users are advised to check their deployments against affected versions and plan for upgrades or mitigations.
Official resources
-
CVE-2026-59083 CVE record
CVE.org
-
CVE-2026-59083 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.483Z and has not been modified since then.