Hi Tomcat Team, I noticed a discrepancy between the recent release documentation and the actual release artifacts for Tomcat 9.0.120, 10.1.57 and 11.0.24.
The release notes state that CVE-2026-59084 was fixed via commits 617d7275 for 9.0.120, 79466463 for 10.1.57 and 57e80e9b 11.0.24. However, checking the source tree for the 9.0.120, 10.1.57 and 11.0.24 tags, these commits do not appear to be merged into the release builds. Could someone please verify if these fixes were accidentally omitted from the artifacts, or if the release notes are pointing to the wrong commit references? Thanks, Tommy Williams
