Cross-Site Scripting vulnerability in number guess example
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue. A flaw was found in Apache Tomcat. This vulnerability, known as Cross-Site Scripting (XSS), allows a remote attacker to inject malicious scripts into the 'number guess example' web page. When other users view the compromised page, these scripts can execute in their web browsers. This could lead to unauthorized access to sensitive information or allow an attacker to alter the content of the website. A flaw was found in Apache Tomcat. A Cross-Site Scripting (XSS) vulnerability exists in the "number guess" example web application shipped with Tomcat. An attacker can inject malicious scripts into the example page, which execute in other users' browsers when they view the page. This vulnerability only affects the example web application, not the Tomcat servlet container itself. Red Hat Tomcat packages do not deploy example applications by default — they are in separate optional packages (e.g., tomcat-webapps) that are not installed in production environments. Red Hat severity: Moderate — CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). Weakness: CWE-79. Fixed by RHSA-2026:32960 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- tomcat11-main-11.0.23-0.1.hum1
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
- tomcat11-main-11.0.23-0.1.hum1
- RHSA-2026:32960
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Mitigation checklist
- Remove or disable the Tomcat example web applications if they are deployed. Example applications are not needed for production use and should not be accessible in production environments.
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.