40 matches found
Security Bulletin: IBM SPSS Analytic Server is affected by a Vert.x Web Static Handler cache manipulation vulnerability (CVE-2026-1002)
Summary IBM SPSS Analytic Server is affected by a Vert.x Web Static Handler cache manipulation vulnerability CVE-2026-1002. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2026-1002 DESCRIPTION: The Vert.x Web static handler component cache can be manipulated t...
Linux Distros Unpatched Vulnerability : CVE-2026-1002
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request UR...
Vert.x Web static handler component cache can be manipulated to deny the access to static files
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component used b...
GHSA-CPHF-4846-3XX9 Vert.x Web static handler component cache can be manipulated to deny the access to static files
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component used b...
CVE-2026-1002
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component used b...
CVE-2026-1002
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component used b...
Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1.SP1 security update
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...
io.vertx/vertx-web: Eclipse Vert.x cross site scripting
In Eclipse Vert.x, when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing maliciou...
Cross-site Scripting (XSS)
io.vertx:vertx-web is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of file and directory names in generated HTML when directory listing is enabled, which allows an attacker to craft malicious filenames that execute arbitrary scripts in the browser of users...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +4347 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=4.0.0-milestone1 <=4.5.21)
io.vertx:vertx-web MAVEN version =4.0.0-milestone1, =0.0.86, =0.0.86, =0.0.86, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =22.9.0, =25.3.10 and more Sou...
GHSA-45P5-V273-3QQR Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names
Description - In the StaticHandlerImplsendDirectoryListing... method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping. - As a result, in environments where an attacker can control file names, injecting...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +5604 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=3.0.0-milestone6 <=4.5.21)
io.vertx:vertx-web MAVEN version =3.0.0-milestone6, =0.0.86, =0.0.86, =0.0.86, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.3.0 - ai.konduit.serving:konduit-serving-python-config =0.0.2 and more Source cves: CVE-2025-11966 Source advisory:...
ai.tock:bot-test (>=25.9.0 <=26.3.1), ai.tock:bot-test-base (>=25.9.0 <=26.3.1) +163 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=5.0.0.CR1 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0.CR1, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.1 and more Source cves: CVE-2025-11966 Source advisory: SNYK:JAVA-IOVERTX-13669867...
ai.tock:bot-test (>=25.9.0 <=26.3.1), ai.tock:bot-test-base (>=25.9.0 <=26.3.1) +164 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=5.0.0 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.1 and more Source cves: CVE-2025-11966 Source advisory: OSV:GHSA-45P5-V273-3QQR...
Cross-site Scripting (XSS)
Overview io.vertx:vertx-web is a HTTP web applications for Vert.x. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the sendDirectoryListing in StaticHandlerImpl.java. An attacker can execute arbitrary JavaScript in the browser context of users viewing the director...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +4347 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=4.0.0-milestone1 <=4.5.21)
io.vertx:vertx-web MAVEN version =4.0.0-milestone1, =0.0.86, =0.0.86, =0.0.86, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =22.9.0, =25.3.10 and more Sou...
ai.tock:bot-test (>=25.9.0 <=26.3.1), ai.tock:bot-test-base (>=25.9.0 <=26.3.1) +163 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=5.0.0.CR1 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0.CR1, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.1 and more Source cves: CVE-2025-11965 Source advisory: SNYK:JAVA-IOVERTX-13669868...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +5604 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=3.0.0-milestone6 <=4.5.21)
io.vertx:vertx-web MAVEN version =3.0.0-milestone6, =0.0.86, =0.0.86, =0.0.86, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.3.0 - ai.konduit.serving:konduit-serving-python-config =0.0.2 and more Source cves: CVE-2025-11965 Source advisory:...
ai.tock:bot-test (>=25.9.0 <=26.3.1), ai.tock:bot-test-base (>=25.9.0 <=26.3.1) +164 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=5.0.0 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.1 and more Source cves: CVE-2025-11965 Source advisory: OSV:GHSA-H5FG-JPGR-RV9C...
Files or Directories Accessible to External Parties
Overview io.vertx:vertx-web is a HTTP web applications for Vert.x. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via improper handling of hidden directories in the StaticHandler implementation when the setIncludeHiddenfalse configuration i...