CVE-2026-56122

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.
Configurations

No configuration.

History

25 Jun 2026, 14:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 14:16

Updated : 2026-06-25 19:25


NVD link : CVE-2026-56122

Mitre link : CVE-2026-56122

CVE.ORG link : CVE-2026-56122


JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')