DEBIAN-CVE-2026-53404

Source
https://security-tracker.debian.org/tracker/CVE-2026-53404
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-53404
Upstream
Published
2026-06-29T21:16:44.527Z
Modified
2026-07-01T18:01:23.672881060Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
[none]
Details

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

References

Affected packages

Debian:11
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Affected versions

9.*
9.0.43-1
9.0.43-2~deb11u1
9.0.43-2~deb11u2
9.0.43-2~deb11u3
9.0.43-2~deb11u4
9.0.43-2~deb11u5
9.0.43-2~deb11u6
9.0.43-2~deb11u7
9.0.43-2~deb11u8
9.0.43-2~deb11u9
9.0.43-2~deb11u10
9.0.43-2~deb11u11
9.0.43-2~deb11u12
9.0.43-2
9.0.43-3
9.0.53-1
9.0.54-1
9.0.55-1
9.0.58-1
9.0.62-1
9.0.63-1
9.0.64-1
9.0.64-2
9.0.65-1
9.0.67-1
9.0.68-1
9.0.68-1.1
9.0.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
Debian:12
tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

10.*
10.1.6-1
10.1.6-1+deb12u1
10.1.6-1+deb12u2
10.1.7-1
10.1.8-1
10.1.9-1
10.1.10-1
10.1.13-1
10.1.14-1
10.1.15-1
10.1.16-1
10.1.20-1
10.1.23-1
10.1.25-1~bpo12+1
10.1.25-1
10.1.25-2
10.1.30-1~bpo12+1
10.1.30-1
10.1.31-1
10.1.33-1~bpo12+1
10.1.33-1
10.1.34-0+deb12u1
10.1.34-0+deb12u2
10.1.34-1
10.1.35-1
10.1.40-1~bpo12+1
10.1.40-1
10.1.46-1
10.1.52-1~deb12u1
10.1.52-1~deb13u1
10.1.52-1
10.1.52-2
10.1.54-1
10.1.55-1~deb12u1
10.1.55-1~deb13u1
10.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
Debian:13
tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

10.*
10.1.40-1
10.1.46-1
10.1.52-1~deb12u1
10.1.52-1~deb13u1
10.1.52-1
10.1.52-2
10.1.54-1
10.1.55-1~deb12u1
10.1.55-1~deb13u1
10.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
tomcat11

Package

Name
tomcat11
Purl
pkg:deb/debian/tomcat11?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

11.*
11.0.6-1
11.0.11-1
11.0.15-1~deb13u1
11.0.15-1
11.0.18-1
11.0.21-1
11.0.22-1~deb13u1
11.0.22-1
11.0.22-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
Debian:14
tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

10.*
10.1.40-1
10.1.46-1
10.1.52-1~deb12u1
10.1.52-1~deb13u1
10.1.52-1
10.1.52-2
10.1.54-1
10.1.55-1~deb12u1
10.1.55-1~deb13u1
10.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
tomcat11

Package

Name
tomcat11
Purl
pkg:deb/debian/tomcat11?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

11.*
11.0.6-1
11.0.11-1
11.0.15-1~deb13u1
11.0.15-1
11.0.18-1
11.0.21-1
11.0.22-1~deb13u1
11.0.22-1
11.0.22-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-53404.json"