=== Starting Tomcat instances === Tomcat started. Tomcat started. === Waiting for servers === Both servers ready (vuln=200 fixed=200) === Testing Vulnerable Tomcat (10.1.55) === VULN GET without auth: 200 VULN PUT without auth: 201 VULN DELETE without auth: 204 VULN POST without auth: 200 VULN PUT with auth: 201 === Testing Fixed Tomcat (10.1.56) === FIXED GET without auth: 200 FIXED PUT without auth: 401 FIXED DELETE without auth: 401 FIXED POST without auth: 401 FIXED PUT with auth: 201 === Stopping Tomcat instances === at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) at java.base/java.lang.reflect.Method.invoke(Method.java:565) at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:396) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491) CONFIRMED: CVE-2026-55956 - Security constraint method bypass reproduced!