{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-09T19:23:49Z",
  "bugzilla" : {
    "description" : "Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix",
    "id" : "2457025",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457025"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-184",
  "details" : [ "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.", "A flaw was found in Apache Tomcat. This improper input validation vulnerability stems from an incomplete fix for a previous security issue (CVE-2025-66614). This flaw may allow an attacker to bypass security controls or cause unexpected behavior within the application." ],
  "statement" : "Moderate impact. This improper input validation vulnerability in Apache Tomcat, stemming from an incomplete fix for CVE-2025-66614, affects Red Hat JBoss Web Server and Red Hat Enterprise Linux. An attacker could exploit this flaw to bypass security controls or induce unexpected application behavior.",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss Web Server 6.2.2",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12195",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2",
    "package" : "tomcat"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 10",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12194",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el10",
    "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el10jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 8",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12194",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el8",
    "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 9",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12194",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el9",
    "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el9jws"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat9",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32990\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32990\nhttps://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7" ],
  "name" : "CVE-2026-32990",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}