CVE-2026-50229: Apache Tomcat examples app XSS in numguess.jsp
CVE-2026-50229 is verified against apache/tomcat · github affected versions: Apache Tomcat 11.0.0-M1 through 11.0.22; 10.1.0-M1 through 10.1.55; 9.0.0.M1 through 9.0.118; 8.5.0 through 8.5.100; 7.0.0 through 7.0.109 vulnerability class: XSS This low reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00280.
pruva-verify REPRO-2026-00280 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00280/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh CVE-2026-50229 is a reflected/stored XSS issue in the bundled examples web application shipped with Apache Tomcat. The vulnerable JSP webapps/examples/jsp/num/numguess.jsp used wildcard bean property binding (<jsp:setProperty ... property="*"/>) against a session-scoped bean, and the page later rendered the bean's hint value into HTML without escaping. Apache fixed the issue by restricting property binding to the intended guess parameter. Affected versions include 7.0.0 through 7.0.109, 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.118, 10.1.0-M1 through 10.1.55, and 11.0.0-M1 through 11.0.22. Fixed in 11.0.23, 10.1.56, and 9.0.119; 8.5 and 7.0 are end-of-life.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.