{ "threat_severity" : "Moderate", "public_date" : "2026-04-09T19:23:49Z", "bugzilla" : { "description" : "Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix", "id" : "2457025", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457025" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-184", "details" : [ "A flaw was found in Apache Tomcat. This improper input validation vulnerability stems from an incomplete fix for a previous security issue (CVE-2025-66614). This flaw may allow an attacker to bypass security controls or cause unexpected behavior within the application." ], "statement" : "Moderate impact. This improper input validation vulnerability in Apache Tomcat, stemming from an incomplete fix for CVE-2025-66614, affects Red Hat JBoss Web Server and Red Hat Enterprise Linux. An attacker could exploit this flaw to bypass security controls or induce unexpected application behavior.", "affected_release" : [ { "product_name" : "Red Hat JBoss Web Server 6.2.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12195", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 10", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12194", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el10", "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el10jws" }, { "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 8", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12194", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el8", "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 9", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12194", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el9", "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el9jws" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "tomcat9", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Fix deferred", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32990\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32990\nhttps://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7" ], "name" : "CVE-2026-32990", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }