CVE-2026-1002

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Vert.x versions (affected versions not specified)

Description The Vert.x Web static handler component cache can be manipulated to deny access to static files served by the handler using specifically crafted request URIs. This is due to an improper implementation of RFC3986 section 5.2.4. An attacker can craft a request URI containing a string like bar%2F..%2F after the last / character to deny access to the URI, resulting in an HTTP 404 response. This can lead to a persistent Denial of Service for legitimate files.

Recommendations Disable the Static Handler cache by setting setCachingEnabled(false) on the StaticHandler instance.

Exploit

Fix

DoS

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

CLEANSTART-2026-DC73689

CLEANSTART-2026-GM79879

CLEANSTART-2026-GQ14179

CLEANSTART-2026-IA43044

CLEANSTART-2026-QI14017

CLEANSTART-2026-TZ04509

CLEANSTART-2026-VJ37814

CVE-2026-1002

GHSA-CPHF-4846-3XX9

Affected Products

Vert.X

CVE-2026-1002

Weakness Enumeration

Related Identifiers

Affected Products

References · 134