CVE-2025-11966

MEDIUM

Eclipse Vert.x < 4.5.22 - Basic XSS

Title source: rule

Description

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.

References (1)

[Issue Tracking, Vendor Advisory, Exploit] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303

Scores

CVSS v3 6.4

EPSS 0.0005

EPSS Percentile 15.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Classification

CWE

CWE-80 CWE-79

Status published

Affected Products (2)

eclipse/vert.x < 4.5.22

io.vertx/vertx-web < 4.5.22Maven

Timeline

Published Oct 22, 2025

Tracked Since Feb 18, 2026