From f3ff0e18c19bdbb75b3deda955a6bdcdd9570670 Mon Sep 17 00:00:00 2001
From: Oleksandra Matviienko <al.zzzeebra@gmail.com>
Date: Tue, 14 Apr 2026 09:30:25 +0200
Subject: [PATCH] Fixed CVE-2026-34487, CVE-2026-34486, CVE-2026-34483

---
 pom.xml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/pom.xml b/pom.xml
index 2d9a57843b..9a81a3d80d 100755
--- a/pom.xml
+++ b/pom.xml
@@ -70,6 +70,7 @@
         <metrics.version>4.2.25</metrics.version>
         <cassandra-all.version>5.0.4</cassandra-all.version> <!-- tools -->
         <guava.version>33.1.0-jre</guava.version>
+        <tomcat.version>10.1.54</tomcat.version> <!-- to fix CVE-2026-34487, CVE-2026-34486, CVE-2026-34483. TODO: remove when fixed in spring-boot-dependencies -->
         <commons-lang3.version>3.18.0</commons-lang3.version> <!-- to fix CVE-2025-48924. TODO: remove when fixed in spring-boot-dependencies -->
         <commons-io.version>2.16.1</commons-io.version>
         <commons-logging.version>1.3.1</commons-logging.version>
@@ -1225,6 +1226,23 @@
                 <artifactId>jaxb-api</artifactId>
                 <version>${javax.xml.bind-api.version}</version>
             </dependency>
+            <!-- Temporary tomcat version override to fix CVE-2026-34487, CVE-2026-34486, CVE-2026-34483. TODO: remove when fixed in spring-boot-dependencies -->
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-el</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-websocket</artifactId>
+                <version>${tomcat.version}</version>
+            </dependency>
+            <!-- End of tomcat version override -->
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-starter-test</artifactId>