Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.
References
Configurations
No configuration.
History
25 Jun 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-25 14:16
Updated : 2026-06-25 19:25
NVD link : CVE-2026-56122
Mitre link : CVE-2026-56122
CVE.ORG link : CVE-2026-56122
JSON object : View
Products Affected
No product.
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
