Winstone Servlet Engine 0.9.10 Path Traversal via HTTP Request Paths

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

AI Analysis

Path traversal vulnerability in Winstone Servlet Engine via HTTP request paths

Basic Information

ID CVE-2026-56122

Source VulnCheck

Published Jun 25, 2026 at 13:34

Modified Jun 25, 2026 at 14:07

Affected Product

Vendor rickknowles

Product Winstone Servlet Container

Version 0.9.10

Affected Versions rickknowles Winstone Servlet Container 0

CWE Classification

CWE-22

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Rick Knowles

Product Winstone Servlet Engine

Version 0.9.10

References

{
    "lastseen": "",
    "description": "Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.",
    "published": "2026-06-25T13:34:15.679Z",
    "modified": "2026-06-25T14:07:45.446Z",
    "type": "cve",
    "title": "Winstone Servlet Engine 0.9.10 Path Traversal via HTTP Request Paths",
    "source": "VulnCheck",
    "references": "https://gist.github.com/VAMorales/ce93f10215c43b2a8344426f4dd59cd3\nhttps://winstone.sourceforge.net/\nhttps://www.vulncheck.com/advisories/winstone-servlet-engine-path-traversal-via-http-request-paths",
    "id": "CVE-2026-56122",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "rickknowles Winstone Servlet Container 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Winstone Servlet Container",
    "version": "0.9.10",
    "vendor": "rickknowles",
    "ai_description": "Path traversal vulnerability in Winstone Servlet Engine via HTTP request paths",
    "ai_severity": "High",
    "ai_vendor": "Rick Knowles",
    "ai_product": "Winstone Servlet Engine",
    "ai_version": "0.9.10",
    "ai_score": 8.7
}

Winstone Servlet Engine 0.9.10 Path Traversal via HTTP Request Paths_CVE-2026-56122