CVE-2026-53434
Fresh advisory reposted by feeds; no PoC, no KEV, no exploitation signal.
What: Apache Tomcat CRL configuration error-handling flaw in FFM-based connectors (11.0.0–11.0.22, 10.1.0–10.1.55, 9.0.83–9.0.118) allowing invalid CRL configs to pass silently without triggering failure.
Why it matters: Vendor issued patch guidance same day (v11.0.23, 10.1.56, 9.0.119); no CVSS/EPSS assigned yet, no KEV listing, no public PoC reported. Social chatter is purely advisory rebroadcasting. Risk is moderate—misconfigurations could degrade certificate validation but requires misconfiguration to exploit.
Where it's seen: Automated CVE notification feeds, vendor security advisories, and multilingual security blogs (Russian, Japanese) republishing the Apache advisory. No defender triage questions, no working exploit demos.
RISK: MODERATE — Configuration error bypasses CRL validation; requires misconfiguration to trigger; patched same-day.
Description
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.