CVE ID: CVE-2026-56122
Vendor Homepage: https://sourceforge.net/projects/winstone/
Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.
Example running with elevated privileges:
curl --path-as-is 'http://<host>:<port>/../../../../../../etc/shadow'Example running with low privileges:
curl --path-as-is 'http://<host>:<port>/../../../../../../etc/passwd'