Logo
Retour à la veille

CVE-2026-56122

Publié : 25 juin 2026
Modifié : 25 juin 2026
Lien officiel NVD
Score CVSS
7.5
HIGH

Description détaillée

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Références et Patchs

https://gist.github.com/VAMorales/ce93f10215c43b2a8344426f4dd59cd3https://winstone.sourceforge.net/https://www.vulncheck.com/advisories/winstone-servlet-engine-path-traversal-via-http-request-paths

Dernières Vulnérabilités

CVE-2026-6432

Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.

VOIR DÉTAILS

CVE-2026-57588

A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.

VOIR DÉTAILS

CVE-2026-57587

A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.

VOIR DÉTAILS