Skip to content
Verified reproduction

CVE-2026-50229: Apache Tomcat examples app XSS in numguess.jsp

CVE-2026-50229 is verified against apache/tomcat · github affected versions: Apache Tomcat 11.0.0-M1 through 11.0.22; 10.1.0-M1 through 10.1.55; 9.0.0.M1 through 9.0.118; 8.5.0 through 8.5.100; 7.0.0 through 7.0.109 vulnerability class: XSS This low reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00280.

REPRO-2026-00280 apache/tomcat · github XSS Variant found Jul 9, 2026 .txt
Severity LOW
Confidence HIGH
Reproduced in 16m 6s
Tool calls 146
Spend $1.42
Affected Apache Tomcat 11.0.0-M1 through 11.0.22; 10.1.0-M1 through 10.1.55; 9.0.0.M1 through 9.0.118; 8.5.0 through 8.5.100; 7.0.0 through 7.0.109
$ pruva-verify REPRO-2026-00280
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00280/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

CVE-2026-50229 is a reflected/stored XSS issue in the bundled examples web application shipped with Apache Tomcat. The vulnerable JSP webapps/examples/jsp/num/numguess.jsp used wildcard bean property binding (<jsp:setProperty ... property="*"/>) against a session-scoped bean, and the page later rendered the bean's hint value into HTML without escaping. Apache fixed the issue by restricting property binding to the intended guess parameter. Affected versions include 7.0.0 through 7.0.109, 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.118, 10.1.0-M1 through 10.1.55, and 11.0.0-M1 through 11.0.22. Fixed in 11.0.23, 10.1.56, and 9.0.119; 8.5 and 7.0 are end-of-life.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.