CVE-2026-50229
Fresh advisory, routine amplification; no exploitation signal or defender activity.
What: Improper Neutralization of Script-Related HTML Tags (Basic XSS) in Apache Tomcat's number guess example application, affecting versions 7.0.0–11.0.22 across multiple branches. No CVSS/EPSS assigned.
Why it matters: XSS in example code is low-impact unless deployed to production; this affects only bundled demo application, not core Tomcat. No KEV listing, no PoC evidence, no widespread exploitation signal. Vendor advisory issued same day as disclosure with patches available.
Where it's seen: Routine vendor advisory amplification on social media (Bluesky, security feeds); basic announcement recycling. No defender triage urgency, no PoC drops, no real-world deployment concern reported.
RISK: LOW — Example application XSS; minimal production impact; vendors patched immediately.
Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.