High-Severity CVE-2026-29146 Detected in Apache Tomcat Embed Core 9.0.19

A high-severity vulnerability, CVE-2026-29146, has been identified in the widely used `tomcat-embed-core-9.0.19.jar` library, a core component of the Apache Tomcat server. The flaw was detected within the dependency chain of a Kotlin Spring project, specifically in the `cactus-plugin-ledger-connector-corda` module, raising immediate security concerns for any application relying on this embedded version.

The vulnerable library is a transitive dependency pulled in via `spring-boot-starter-tomcat-2.2.0.M3.jar`, which itself is a dependency of `spring-boot-starter-web-2.2.0.M3.jar`. This common dependency path means the vulnerability could be present in numerous Spring Boot applications configured to use this specific starter version. The scanner identified the library in both Maven and Gradle cache locations, indicating its integration into the project's build system.

The presence of this high-severity CVE in a foundational web server component creates a significant security exposure. It places any affected application at risk, potentially allowing for remote code execution, denial of service, or data breaches, depending on the nature of the flaw. Organizations using Spring Boot 2.2.0.M3 or any project with this Tomcat embed core version must prioritize patching or updating the dependency to a secure version to mitigate the threat.