CVE-2026-8384
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
| CWE | CWE-647 |
| Vendor | eclipse foundation |
| Product | eclipse jetty |
| Published | Jul 14, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for eclipse foundation eclipse jetty
Be the first to know when new medium vulnerabilities affecting eclipse foundation eclipse jetty are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
Eclipse Foundation / Eclipse Jetty
12.0.0 โค 12.0.34 12.1.0 โค 12.1.8
References
Credits
https://github.com/jweny https://github.com/lworld0x00