DEBIAN-CVE-2026-25854

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-25854

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-25854

Upstream

CVE-2026-25854

Published

2026-04-09T20:16:24.207Z

Modified

2026-04-28T20:32:30.199485Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

References

https://security-tracker.debian.org/tracker/CVE-2026-25854

Affected packages

Debian:11

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Affected versions

9.*

9.0.43-1

9.0.43-2~deb11u1

9.0.43-2~deb11u2

9.0.43-2~deb11u3

9.0.43-2~deb11u4

9.0.43-2~deb11u5

9.0.43-2~deb11u6

9.0.43-2~deb11u7

9.0.43-2~deb11u8

9.0.43-2~deb11u9

9.0.43-2~deb11u10

9.0.43-2~deb11u11

9.0.43-2~deb11u12

9.0.43-2

9.0.43-3

9.0.53-1

9.0.54-1

9.0.55-1

9.0.58-1

9.0.62-1

9.0.63-1

9.0.64-1

9.0.64-2

9.0.65-1

9.0.67-1

9.0.68-1

9.0.68-1.1

9.0.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

Debian:12

tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

10.*

10.1.6-1

10.1.6-1+deb12u1

10.1.6-1+deb12u2

10.1.7-1

10.1.8-1

10.1.9-1

10.1.10-1

10.1.13-1

10.1.14-1

10.1.15-1

10.1.16-1

10.1.20-1

10.1.23-1

10.1.25-1~bpo12+1

10.1.25-1

10.1.25-2

10.1.30-1~bpo12+1

10.1.30-1

10.1.31-1

10.1.33-1~bpo12+1

10.1.33-1

10.1.34-0+deb12u1

10.1.34-0+deb12u2

10.1.34-1

10.1.35-1

10.1.40-1~bpo12+1

10.1.40-1

10.1.46-1

10.1.52-1~deb12u1

10.1.52-1~deb13u1

10.1.52-1

10.1.52-2

10.1.54-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

Debian:13

tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

10.*

10.1.40-1

10.1.46-1

10.1.52-1~deb12u1

10.1.52-1~deb13u1

10.1.52-1

10.1.52-2

10.1.54-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

tomcat11

Package

Name: tomcat11
Purl: pkg:deb/debian/tomcat11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.0.6-1

11.0.11-1

11.0.15-1~deb13u1

11.0.15-1

11.0.18-1

11.0.21-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

Debian:14

tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.54-1

Affected versions

10.*

10.1.40-1

10.1.46-1

10.1.52-1~deb12u1

10.1.52-1~deb13u1

10.1.52-1

10.1.52-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

tomcat11

Package

Name: tomcat11
Purl: pkg:deb/debian/tomcat11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.0.21-1

Affected versions

11.*

11.0.6-1

11.0.11-1

11.0.15-1~deb13u1

11.0.15-1

11.0.18-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-25854.json"