CVE-2025-11966

MEDIUM

Eclipse Vert.x < 4.5.22 - Basic XSS

Title source: rule

Description

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.

References (1)

[Issue Tracking, Vendor Advisory, Exploit] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303

Scores

CVSS v3 6.4

EPSS 0.0003

EPSS Percentile 7.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-80 CWE-79

Status published

Products (2)

eclipse/vert.x 4.0.0 - 4.5.22

io.vertx/vertx-web 0 - 4.5.22Maven

Published Oct 22, 2025

Tracked Since Feb 18, 2026