Skip to main content

Winstone Servlet Engine EUVDEUVD-2026-39397

| CVE-2026-56122 HIGH
Path Traversal (CWE-22)
2026-06-25 VulnCheck GHSA-qf2j-8858-jvcv
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated single-request file read over the network (AV:N/AC:L/PR:N/UI:N); high confidentiality disclosure with no integrity or availability impact and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:29 vuln.today

DescriptionCVE.org

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

AnalysisAI

Arbitrary file read in Winstone Servlet Engine (versions through 0.9.10) lets unauthenticated remote attackers retrieve any file readable by the servlet process by embedding dot-dot-slash sequences in HTTP GET request paths to the static-file handler. The flaw stems from missing path sanitization when resolving requests against the configured webroot, and publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Winstone HTTP listener
Delivery
Craft GET with ../ sequences
Exploit
Bypass webroot path resolution
Execution
Read arbitrary file as process user
Impact
Exfiltrate sensitive system/app files

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run Winstone Servlet Engine (≤0.9.10) with its static-file serving from a configured webroot reachable over HTTP - that static-file/webroot serving path is the specific feature abused. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:H, VI:N/VA:N, base 8.7 High) describes a network-reachable, low-complexity, unauthenticated attack with high confidentiality impact and no integrity or availability effect - consistent with a read-only file disclosure primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Winstone HTTP listener sends a single crafted GET request whose path embeds '../../' sequences targeting the static-file handler, e.g., requesting a path that resolves to /etc/passwd or application configuration files containing credentials. Public exploit code (a published gist) demonstrates the technique, and because the attack is unauthenticated and low-complexity, it can be automated to harvest sensitive files from any exposed instance, with greater impact when the service runs as a privileged user.
Remediation No vendor-released patch version is identified at time of analysis, and Winstone is a legacy project, so the most reliable remediation is to migrate off Winstone to a maintained servlet container (e.g., Jetty or Tomcat) that properly canonicalizes paths. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct immediate inventory of all Winstone deployments; confirm version and runtime privileges (uid/gid). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy