CVE-2026-56122

HIGH 7.5

Winstone Servlet Engine 0.9.10 Path Traversal via HTTP Request Paths

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

CWE	CWE-22
Vendor	rickknowles
Product	winstone servlet container
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for rickknowles winstone servlet container

Be the first to know when new high vulnerabilities affecting rickknowles winstone servlet container are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

rickknowles / Winstone Servlet Container

0 ≤ 0.9.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gist.github.com: https://gist.github.com/VAMorales/ce93f10215c43b2a8344426f4dd59cd3 winstone.sourceforge.net: https://winstone.sourceforge.net/ vulncheck.com: https://www.vulncheck.com/advisories/winstone-servlet-engine-path-traversal-via-http-request-paths

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.