Hi Tomcat Team,

I noticed a discrepancy between the recent release documentation and the
actual release artifacts for Tomcat 9.0.120, 10.1.57 and 11.0.24.

The release notes state that CVE-2026-59084 was fixed via commits 617d7275
for 9.0.120, 79466463 for 10.1.57 and 57e80e9b 11.0.24. However, checking
the source tree for the 9.0.120, 10.1.57 and 11.0.24 tags, these commits do
not appear to be merged into the release builds.

Could someone please verify if these fixes were accidentally omitted from
the artifacts, or if the release notes are pointing to the wrong commit
references?

Thanks,
Tommy Williams

Reply via email to