CVE-2025-11966

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Eclipse Vert.x versions 4.0.0 through 4.5.21 Eclipse Vert.x versions 5.0.0 through 5.0.4

Description When directory listing is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.

Recommendations Update Eclipse Vert.x to a version later than 4.5.21. Update Eclipse Vert.x to a version later than 5.0.4.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

CVE-2025-11966

ECHO-4377-3F2B-771F

GHSA-45P5-V273-3QQR

Affected Products

Eclipse Vert.X

CVE-2025-11966

Weakness Enumeration

Related Identifiers

Affected Products

References · 8