SecuriTricks - CVE-2026-25854

Description

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Product(s) Impacted

Vendor	Product	Versions
Apache	Tomcat	11.0.0-11.0.18, 10.1.0-10.1.52, 9.0.0.M23-9.0.115, 8.5.30-8.5.100

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	apache	tomcat	11.0.0-11.0.18	/	/	/	/	/	/	/
a	apache	tomcat	10.1.0-10.1.52	/	/	/	/	/	/	/
a	apache	tomcat	9.0.0.M23-9.0.115	/	/	/	/	/	/	/
a	apache	tomcat	8.5.30-8.5.100	/	/	/	/	/	/	/

References

https://lists.apache.org/thread/ghct3b6o74bp2vm7q875s1zh0dqrz3h0

http://www.openwall.com/lists/oss-security/2026/04/09/21

CVSS Score

6.1 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

View Vector String

Timeline

Published: April 9, 2026, 8:16 p.m.
Last Modified: April 10, 2026, 7:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-25854