CVE-2026-25854

MEDIUM

Apache Tomcat: Occasionally open redirect

Title source: cna

Description

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Exploits (1)

nomisec WORKING POC

by gregk4sec · poc

https://github.com/gregk4sec/cve-2026-25854

View Code ZIP pw:eip

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/09/21

[Vendor Advisory] https://lists.apache.org/thread/ghct3b6o74bp2vm7q875s1zh0dqrz3h0

Scores

CVSS v3 6.1

EPSS 0.0003

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-601

Status published

Products (10)

apache/tomcat 9.0.0 milestone23 (5 CPE variants)

apache/tomcat 9.0.1 - 9.0.116

Apache Software Foundation/Apache Tomcat < 7.0.109

Apache Software Foundation/Apache Tomcat 10.1.0-M1 - 10.1.52

Apache Software Foundation/Apache Tomcat 11.0.0-M1 - 11.0.18

Apache Software Foundation/Apache Tomcat 8.5.30 - 8.5.100

Apache Software Foundation/Apache Tomcat 9.0.0.M23 - 9.0.115

org.apache.tomcat/tomcat 8.5.30 - 9.0.116Maven

org.apache.tomcat/tomcat-catalina 8.5.30 - 9.0.116Maven

org.apache.tomcat.embed/tomcat-embed-core 8.5.30 - 9.0.116Maven

Published Apr 09, 2026

Tracked Since Apr 10, 2026