CVE-2026-8384
MEDIUMDescription
In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
Is your site exposed to CVE-2026-8384?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| eclipse | jetty |
| eclipse | jetty |
References
Frequently Asked Questions
What is CVE-2026-8384? +
How severe is CVE-2026-8384? +
What products are affected by CVE-2026-8384? +
How do I check if I'm vulnerable to CVE-2026-8384? +
Related Vulnerabilities
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting …
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching …
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior …
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component …
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker …
In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the …