219 matches found
Cross-site Scripting (XSS)
io.vertx:vertx-web is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of file and directory names in generated HTML when directory listing is enabled, which allows an attacker to craft malicious filenames that execute arbitrary scripts in the browser of users...
Linux Distros Unpatched Vulnerability : CVE-2025-11965
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidd...
ai.tock:bot-test (>=25.9.0 <=26.3.2), ai.tock:bot-test-base (>=25.9.0 <=26.3.2) +286 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=5.0.0.CR1 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0.CR1, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.2 and more Source cves: CVE-2025-11966 Source advisory: SNYK:JAVA-IOVERTX-13669867...
Cross-site Scripting (XSS)
Overview io.vertx:vertx-web is a HTTP web applications for Vert.x. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the sendDirectoryListing in StaticHandlerImpl.java. An attacker can execute arbitrary JavaScript in the browser context of users viewing the director...
ai.tock:bot-test (>=25.9.0 <=26.3.2), ai.tock:bot-test-base (>=25.9.0 <=26.3.2) +287 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=5.0.0 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.2 and more Source cves: CVE-2025-11966 Source advisory: OSV:GHSA-45P5-V273-3QQR...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +4384 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=4.0.0-milestone1 <=4.5.21)
io.vertx:vertx-web MAVEN version =4.0.0-milestone1, =0.0.86, =0.0.86, =0.0.86, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =22.9.0, =25.3.10 and more Sou...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +5641 more potentially affected by CVE-2025-11966 via io.vertx:vertx-web (>=3.0.0-milestone6 <=4.5.21)
io.vertx:vertx-web MAVEN version =3.0.0-milestone6, =0.0.86, =0.0.86, =0.0.86, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.3.0 - ai.konduit.serving:konduit-serving-python-config =0.0.2 and more Source cves: CVE-2025-11966 Source advisory:...
GHSA-45P5-V273-3QQR Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names
Description - In the StaticHandlerImplsendDirectoryListing... method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping. - As a result, in environments where an attacker can control file names, injecting...
GHSA-H5FG-JPGR-RV9C Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories
Description There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHiddenfalse is configured. In the current implementation, only files whose final path segment i.e., the file name begins with a dot . are treated as “hidden” and are blocked from being...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +5641 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=3.0.0-milestone6 <=4.5.21)
io.vertx:vertx-web MAVEN version =3.0.0-milestone6, =0.0.86, =0.0.86, =0.0.86, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.0.2, =0.3.0 - ai.konduit.serving:konduit-serving-python-config =0.0.2 and more Source cves: CVE-2025-11965 Source advisory:...
ai.tock:bot-test (>=25.9.0 <=26.3.2), ai.tock:bot-test-base (>=25.9.0 <=26.3.2) +287 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=5.0.0 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.2 and more Source cves: CVE-2025-11965 Source advisory: OSV:GHSA-H5FG-JPGR-RV9C...
ai.tock:bot-test (>=25.9.0 <=26.3.2), ai.tock:bot-test-base (>=25.9.0 <=26.3.2) +286 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=5.0.0.CR1 <=5.0.4)
io.vertx:vertx-web MAVEN version =5.0.0.CR1, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.2 and more Source cves: CVE-2025-11965 Source advisory: SNYK:JAVA-IOVERTX-13669868...
Files or Directories Accessible to External Parties
Overview io.vertx:vertx-web is a HTTP web applications for Vert.x. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via improper handling of hidden directories in the StaticHandler implementation when the setIncludeHiddenfalse configuration i...
ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:service_2.12 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +4384 more potentially affected by CVE-2025-11965 via io.vertx:vertx-web (>=4.0.0-milestone1 <=4.5.21)
io.vertx:vertx-web MAVEN version =4.0.0-milestone1, =0.0.86, =0.0.86, =0.0.86, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =22.9.0, =25.3.10 and more Sou...
Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories
Description There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHiddenfalse is configured. In the current implementation, only files whose final path segment i.e., the file name begins with a dot . are treated as “hidden” and are blocked from being...
CVE-2025-11965
In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them e.g. '.git/config'...
CVE-2025-11966
In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path...
CVE-2025-11965
In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them e.g. '.git/config'...
CVE-2025-11965
In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them e.g. '.git/config'...
CVE-2025-11965
The CVE-2025-11965 issue affects Eclipse Vert.x: versions 4.0.0–4.5.21 and 5.0.0–5.0.4 contain a misconfiguration in StaticHandler that fails to restrict access to hidden directories, enabling unauthorized access to files inside them (for example, .git/config). The available connected documents c...