Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable reflected XSS with no auth required (PR:N) but mandatory victim interaction (UI:R); scope changes to browser (S:C) with limited C/I impact and no availability effect.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
AnalysisAI
Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Tomcat 'number guess' example application (webapps/examples context) must be deployed and network-accessible - this is a non-default state for production servers, as hardening guidance explicitly requires removal of example applications. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score was provided for this CVE, so quantitative risk signals are absent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL targeting the number-guess example page on a Tomcat instance where the examples application is deployed, embedding a malicious script payload in the guess parameter. The attacker delivers this URL to a victim - via phishing, a malicious link on another page, or a stored reference - and when the victim loads it their browser executes the injected script in the context of the Tomcat server's origin, potentially exposing session cookies or enabling UI manipulation. … |
| Remediation | Vendor-released patches are available: upgrade to Apache Tomcat 11.0.23, 10.1.56, or 9.0.119, which fix the issue per the Apache advisory at https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C
Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote at
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40226
GHSA-pg42-rg8c-j886