Description
Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Winstone Servlet Engine versions up to 0.9.10 contain a path‑traversal flaw that allows an unauthenticated attacker to read arbitrary files by sending HTTP GET requests that include dot‑dot‑slash sequences. These traversal prefixes are not sanitized when serving static files from the configured web root, enabling the attacker to walk outside the intended directory and read any file that the servlet process can access. The impact is direct confidentiality compromise, potentially exposing sensitive system configuration or credential files if the service runs with elevated privileges. The weakness is a classic directory traversal problem identified as CWE‑22.

Affected Systems

This vulnerability affects the Winstone Servlet Container developed by rickknowles, specifically all releases up to and including version 0.9.10. No other product or version information is available from the CNA.

Risk and Exploitability

The CVSS base score of 8.7 classifies the vulnerability as high severity. While the EPSS score is not available, the lack of authentication requirement and the ability to read files over HTTP suggests that exploitation can be performed remotely by anyone who can reach the service. The vulnerability is not currently listed in the CISA KEV catalog, but the potential to access system files means that it should be treated as a critical risk for services running with elevated privileges.

Generated by OpenCVE AI on June 25, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Winstone Servlet Container to the latest version that addresses the path traversal flaw (e.g., 0.9.11 or newer).
  • Configure the web root to a minimal directory and remove any symbolic links that might expose sensitive files.
  • Implement network‑level restrictions so that only trusted hosts can access the servlet engine's HTTP endpoints (for example, by using firewall rules or a reverse proxy).

Generated by OpenCVE AI on June 25, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rickknowles
Rickknowles winstone Servlet Container
Vendors & Products Rickknowles
Rickknowles winstone Servlet Container

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.
Title Winstone Servlet Engine 0.9.10 Path Traversal via HTTP Request Paths
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Rickknowles Winstone Servlet Container
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T14:07:45.446Z

Reserved: 2026-06-18T19:15:10.651Z

Link: CVE-2026-56122

cve-icon Vulnrichment

Updated: 2026-06-25T14:07:41.542Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:38:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')