Third-Party Package Updates in Splunk Add-on for Tomcat App - May 2026
Advisory ID: SVD-2026-0516
CVE ID: Multiple
Published: 2026-05-20
Last Update: 2026-05-20
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Tomcat App version 3.3.1 including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| Apache Log4j1 | Upgraded apache log4j to version 2.25.3 | CVE-2025-68161 | Medium |
| Apache Commons Lang2 | Upgraded apache commons lang to version 3.18.0 | CVE-2025-48924 | Medium |
1 Upgraded apache log4j to version 2.25.3 to remedy CVE-2025-68161
2 Upgraded apache commons lang to version 3.18.0 to remedy CVE-2025-48924
Solution
Upgrade Splunk Add-on for Tomcat to versions 3.3.1, or higher.
See special instructions for this release.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Add-on for Tomcat | 3.3 | Below 3.3.1 | 3.3.1 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.