CVE Catalog

CVE-2026-56122

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences. Attackers can traverse outside the webroot directory, potentially exposing sensitive data.

Risk Assessment

This vulnerability poses a significant risk to organizations as it allows attackers to access sensitive system files, especially when the service runs with elevated privileges.

Recommendation

It is recommended to update Winstone Servlet Engine to the latest version to mitigate this vulnerability and implement additional security measures such as HTTP request filtering.

Original NVD description (English source)

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS