CVE-2026-34483: Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve

April 9, 2026 (updated April 10, 2026)

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

References

github.com/advisories/GHSA-rv64-5gf8-9qq8
github.com/apache/tomcat
lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b
nvd.nist.gov/vuln/detail/CVE-2026-34483

Code Behaviors & Features

Detect and mitigate CVE-2026-34483 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →