Vulnerability Description
Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://gist.github.com/VAMorales/ce93f10215c43b2a8344426f4dd59cd3
- https://winstone.sourceforge.net/
- https://www.vulncheck.com/advisories/winstone-servlet-engine-path-traversal-via-
FAQ
What is CVE-2026-56122?
CVE-2026-56122 is a vulnerability with a CVSS score of 7.5 (HIGH). Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences t...
How severe is CVE-2026-56122?
CVE-2026-56122 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-56122?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.