Home > Vulnerability Database > CVE-2025-11966

Mend.io Vulnerability Database

CVE-2025-11966

Good to know:

Date: October 22, 2025

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.

Severity Score

4.9

Related Resources (5)

Url: https://github.com/vert-x3/vertx-web

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303

Url: https://github.com/vert-x3/vertx-web/security/advisories/GHSA-45p5-v273-3qqr

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-11966

Url: https://www.mend.io/vulnerability-database/CVE-2025-11966

Severity Score

4.9

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

Top Fix

Upgrade Version

Upgrade to version io.vertx:vertx-web:5.0.5;io.vertx:vertx-web:4.5.22;https://github.com/vert-x3/vertx-web.git - 4.5.22;https://github.com/vert-x3/vertx-web.git - 5.0.5

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-11966

Good to know:

Date: October 22, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?