Skip to main content

Winstone Servlet Container

1 CVEs product

Monthly

CVE-2026-56122 HIGH POC This Week

Arbitrary file read in Winstone Servlet Engine (versions through 0.9.10) lets unauthenticated remote attackers retrieve any file readable by the servlet process by embedding dot-dot-slash sequences in HTTP GET request paths to the static-file handler. The flaw stems from missing path sanitization when resolving requests against the configured webroot, and publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV. Impact is confidentiality-only but high, escalating to disclosure of OS-level secrets when the engine runs with elevated privileges.

Path Traversal Winstone Servlet Container
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
EPSS 0% CVSS 8.7
HIGH POC This Week

Arbitrary file read in Winstone Servlet Engine (versions through 0.9.10) lets unauthenticated remote attackers retrieve any file readable by the servlet process by embedding dot-dot-slash sequences in HTTP GET request paths to the static-file handler. The flaw stems from missing path sanitization when resolving requests against the configured webroot, and publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV. Impact is confidentiality-only but high, escalating to disclosure of OS-level secrets when the engine runs with elevated privileges.

Path Traversal Winstone Servlet Container
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy