This Red Hat security advisory addresses three vulnerabilities in Apache Tomcat, including a critical console manipulation flaw (CVE-2025-55754, CVSS 9.6), a high-severity security constraint bypass for CGI scripts (CVE-2025-46701, CVSS 7.3), and a medium-severity session fixation issue via the rewrite valve (CVE-2025-55668, CVSS 6.5). Affected versions are Apache Tomcat 9.0.0 through 9.0.108, 10.1.0 through 10.1.44, and 11.0.0 through 11.0.10, with specific fixed versions varying per CVE as detailed in the NVD data. The update for Red Hat Enterprise Linux 9 provides tomcat version 9.0.110-2.el9_8 to remediate these issues.
Red Hat Product Errata RHSA-2026:18916 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:18916 - Security Advisory Overview Updated Packages Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for tomcat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es): tomcat: Apache Tomcat: Security constraint bypass for CGI scripts (CVE-2025-46701) org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve (CVE-2025-55668) org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation (CVE-2025-55754) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2369253 - CVE-2025-46701 tomcat: Apache Tomcat: Security constraint bypass for CGI scripts BZ - 2388226 - CVE-2025-55668 org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve BZ - 2406590 - CVE-2025-55754 org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation RHEL-146482 - Rebase tomcat package to enable PQC features CVEs CVE-2025-46701 CVE-2025-55668 CVE-2025-55754 References https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.8_release_notes/index Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM tomcat-9.0.110-2.el9_8.src.rpm SHA-256: c9a22a3810ecfc58a2d2a32137df193f1659411b924025f4303328f2121fb636 x86_64 tomcat-9.0.110-2.el9_8.noarch.rpm SHA-256: ab6ea62855eec7237036219368f4e713ffa4c1bcffd646017fd0d650f95ea6fe tomcat-admin-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: 4b45d54f83274262b163e932ea01794eea81b1dd806d7266544df65a9d15261f tomcat-docs-webapp-9.0.110-2.el9_8.noarch.rpm SHA-256: 60e239d90e9403312f56f110330c560305185f584f95e796781db186646e612a tomcat-el-3.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: db8aac8491338b25a1aebd6bd85a6179b6413513658e20f1a191ed73d44430c3 tomcat-jsp-2.3-api-9.0.110-2.el9_8.noarch.rpm SHA-256: fc300be161a2590d9634b50c1b37fef2051b1bb06f1f9054c7b207969f0a518c tomcat-lib-9.0.110-2.el9_8.noarch.rpm SHA-256: eab1a0da2e9e4367eb3c343edb2fe5a86f5ae9758e151bd281e9c2e6708d5038 tomcat-servlet-4.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: a5af601c068f0ca497dd54ad45521eca04c88c51fcf4036592bed0823bff3e0c tomcat-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: d6c870868f795f31b68b05b901e7a88b49f16364f95633f84d728a72b370b3b1 Red Hat Enterprise Linux for IBM z Systems 9 SRPM tomcat-9.0.110-2.el9_8.src.rpm SHA-256: c9a22a3810ecfc58a2d2a32137df193f1659411b924025f4303328f2121fb636 s390x tomcat-9.0.110-2.el9_8.noarch.rpm SHA-256: ab6ea62855eec7237036219368f4e713ffa4c1bcffd646017fd0d650f95ea6fe tomcat-admin-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: 4b45d54f83274262b163e932ea01794eea81b1dd806d7266544df65a9d15261f tomcat-docs-webapp-9.0.110-2.el9_8.noarch.rpm SHA-256: 60e239d90e9403312f56f110330c560305185f584f95e796781db186646e612a tomcat-el-3.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: db8aac8491338b25a1aebd6bd85a6179b6413513658e20f1a191ed73d44430c3 tomcat-jsp-2.3-api-9.0.110-2.el9_8.noarch.rpm SHA-256: fc300be161a2590d9634b50c1b37fef2051b1bb06f1f9054c7b207969f0a518c tomcat-lib-9.0.110-2.el9_8.noarch.rpm SHA-256: eab1a0da2e9e4367eb3c343edb2fe5a86f5ae9758e151bd281e9c2e6708d5038 tomcat-servlet-4.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: a5af601c068f0ca497dd54ad45521eca04c88c51fcf4036592bed0823bff3e0c tomcat-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: d6c870868f795f31b68b05b901e7a88b49f16364f95633f84d728a72b370b3b1 Red Hat Enterprise Linux for Power, little endian 9 SRPM tomcat-9.0.110-2.el9_8.src.rpm SHA-256: c9a22a3810ecfc58a2d2a32137df193f1659411b924025f4303328f2121fb636 ppc64le tomcat-9.0.110-2.el9_8.noarch.rpm SHA-256: ab6ea62855eec7237036219368f4e713ffa4c1bcffd646017fd0d650f95ea6fe tomcat-admin-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: 4b45d54f83274262b163e932ea01794eea81b1dd806d7266544df65a9d15261f tomcat-docs-webapp-9.0.110-2.el9_8.noarch.rpm SHA-256: 60e239d90e9403312f56f110330c560305185f584f95e796781db186646e612a tomcat-el-3.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: db8aac8491338b25a1aebd6bd85a6179b6413513658e20f1a191ed73d44430c3 tomcat-jsp-2.3-api-9.0.110-2.el9_8.noarch.rpm SHA-256: fc300be161a2590d9634b50c1b37fef2051b1bb06f1f9054c7b207969f0a518c tomcat-lib-9.0.110-2.el9_8.noarch.rpm SHA-256: eab1a0da2e9e4367eb3c343edb2fe5a86f5ae9758e151bd281e9c2e6708d5038 tomcat-servlet-4.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: a5af601c068f0ca497dd54ad45521eca04c88c51fcf4036592bed0823bff3e0c tomcat-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: d6c870868f795f31b68b05b901e7a88b49f16364f95633f84d728a72b370b3b1 Red Hat Enterprise Linux for ARM 64 9 SRPM tomcat-9.0.110-2.el9_8.src.rpm SHA-256: c9a22a3810ecfc58a2d2a32137df193f1659411b924025f4303328f2121fb636 aarch64 tomcat-9.0.110-2.el9_8.noarch.rpm SHA-256: ab6ea62855eec7237036219368f4e713ffa4c1bcffd646017fd0d650f95ea6fe tomcat-admin-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: 4b45d54f83274262b163e932ea01794eea81b1dd806d7266544df65a9d15261f tomcat-docs-webapp-9.0.110-2.el9_8.noarch.rpm SHA-256: 60e239d90e9403312f56f110330c560305185f584f95e796781db186646e612a tomcat-el-3.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: db8aac8491338b25a1aebd6bd85a6179b6413513658e20f1a191ed73d44430c3 tomcat-jsp-2.3-api-9.0.110-2.el9_8.noarch.rpm SHA-256: fc300be161a2590d9634b50c1b37fef2051b1bb06f1f9054c7b207969f0a518c tomcat-lib-9.0.110-2.el9_8.noarch.rpm SHA-256: eab1a0da2e9e4367eb3c343edb2fe5a86f5ae9758e151bd281e9c2e6708d5038 tomcat-servlet-4.0-api-9.0.110-2.el9_8.noarch.rpm SHA-256: a5af601c068f0ca497dd54ad45521eca04c88c51fcf4036592bed0823bff3e0c tomcat-webapps-9.0.110-2.el9_8.noarch.rpm SHA-256: d6c870868f795f31b68b05b901e7a88b49f16364f95633f84d728a72b370b3b1 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .