← back
CVE-2026-56122

Winstone Servlet Engine 0.9.10 Path Traversal via HTTP Request Paths

CVSS 8.7 HIGHEPSS 0.4%CWE-22
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.7EPSS 0.4%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
25 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
rickknowles · Winstone Servlet Container
public PoCs found1
cve_referencegist.github.com/VAMorales/ce93f10215c43b2a8344426f4dd59cd3unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://gist.github.com/VAMorales/ce93f10215c43b2a8344426f4dd59cd3https://winstone.sourceforge.net/https://www.vulncheck.com/advisories/winstone-servlet-engine-path-traversal-via-http-request-paths