Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-59083 is a critical vulnerability (CVSS 9.1) in Apache Tomcat's rewrite valve that improperly handles URL hex encoding, allowing attackers to bypass security constraints in affected configurations. This vulnerability impacts widely deployed versions across Tomcat's active release lines: 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.0.M1 through 9.0.119, and 8.5.0 through 8.5.100. Organizations relying on Tomcat's rewrite valve for access control face significant risk, as attackers can craft specially encoded URLs to circumvent authentication and authorization checks, potentially gaining unauthorized access to protected resources. The vulnerability affects any deployment where URL rewrite rules are configured as a primary security mechanism.
While this CVE currently maps to zero Casky skills due to its novel encoding manipulation technique, practitioners using Casky's platform would detect exploitation attempts through Claude's extended reasoning capabilities applied to behavioral patterns associated with CWE-177 violations. Detection would focus on identifying anomalous URL patterns with unusual hex-encoded characters reaching restricted endpoints, access attempts that bypass expected authentication flows, and rewrite valve log entries showing encoding normalization mismatches. Security teams should monitor for requests containing encoded path traversal sequences, double-encoded characters, or hex-encoded special characters targeting protected application resources—patterns that violate expected URL structure assumptions. As threat intelligence matures around this vulnerability's exploitation, Casky would expand its skill library to map specific attack sequences to MITRE techniques like T1190 (Exploit Public-Facing Application), enabling more precise detection and response guidance.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-59083. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation