PT-2026-57996 · Eclipse Foundation · Eclipse Jetty

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-8384

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Eclipse Jetty (affected versions not specified)
Description An issue exists where an HTTP URI containing a semicolon, such as /public;/../admin/secret.txt, results in an unresolved path of /public/../admin/secret.txt instead of the expected /admin/secret.txt. While the server does not serve the file directly because it fails the alias checker, web applications that rely on Jetty to provide resolved paths may be misled by receiving an unresolved path.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8384

Affected Products

Eclipse Jetty