CVE-2026-1605
published 2026-03-05CVE-2026-1605: In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.63%
45.4th percentile
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.
This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jetty12 | < jetty12 12.0.32-1 (forky) | jetty12 12.0.32-1 (forky) |
| eclipse | jetty | >= 12.0.0 < 12.0.32 | 12.0.32 |
| eclipse | jetty | >= 12.1.0 < 12.1.6 | 12.1.6 |
| eclipse_foundation | eclipse_jetty | 12.0.0 – 12.0.31 | — |
| eclipse_foundation | eclipse_jetty | 12.1.0. – 12.1.5 | — |
| studiocms | studiocms | >= 0 < 0.4.4 | 0.4.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
ghsa·2026-03-16
CVE-2026-32638 [LOW] CWE-639 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
## Summary
The REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface.
## Details
### Vulnerable Code Path
File: `D:/bugcrowd/studiocms/repo/packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts`, lines 1605-1647
```ts
.handle(
'getUsers',
Effect.fn(
function* ({
OSV
The Eclipse Jetty Server Artifact has a Gzip request memory leak
osv·2026-03-05
CVE-2026-1605 [HIGH] The Eclipse Jetty Server Artifact has a Gzip request memory leak
The Eclipse Jetty Server Artifact has a Gzip request memory leak
### Description (as reported)
There is a memory leak when using `GzipHandler` in jetty-12.0.30 that can cause off-heap OOMs. This can be used for DoS attacks so I'm reporting this as a vulnerability.
The leak is created by requests where the request is inflated (`Content-Encoding: gzip`) and the response is not deflated (no `Accept-Encoding: gzip`). In these conditions, a new inflator will be created by `GzipRequest` and never released back into `GzipRequest.__inflaterPool` because `gzipRequest.destory()` is not called.
In heap dumps one can see thousands of `java.util.zip.Inflator` objects, which use both Java heaps and native memory. Leaking native memory causes of off-heap OOMs.
Code path in `GzipHandler.handle()`:
1.
GHSA
The Eclipse Jetty Server Artifact has a Gzip request memory leak
ghsa·2026-03-05
CVE-2026-1605 [HIGH] CWE-400 The Eclipse Jetty Server Artifact has a Gzip request memory leak
The Eclipse Jetty Server Artifact has a Gzip request memory leak
### Description (as reported)
There is a memory leak when using `GzipHandler` in jetty-12.0.30 that can cause off-heap OOMs. This can be used for DoS attacks so I'm reporting this as a vulnerability.
The leak is created by requests where the request is inflated (`Content-Encoding: gzip`) and the response is not deflated (no `Accept-Encoding: gzip`). In these conditions, a new inflator will be created by `GzipRequest` and never released back into `GzipRequest.__inflaterPool` because `gzipRequest.destory()` is not called.
In heap dumps one can see thousands of `java.util.zip.Inflator` objects, which use both Java heaps and native memory. Leaking native memory causes of off-heap OOMs.
Code path in `GzipHandler.handle()`:
1.
OSV
CVE-2026-1605: In Eclipse Jetty, versions 12
osv·2026-03-05·CVSS 7.5
CVE-2026-1605 [HIGH] CVE-2026-1605: In Eclipse Jetty, versions 12
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Red Hat
org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests
vendor_redhat·2026-03-05·CVSS 7.5
CVE-2026-1605 [HIGH] CWE-772 org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests
org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.
This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the se
Debian
CVE-2026-1605: jetty12 - In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler e...
vendor_debian·2026·CVSS 7.5
CVE-2026-1605 [HIGH] CVE-2026-1605: jetty12 - In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler e...
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Scope: local
forky: resolved (fixed in 12.0.32-1)
sid: resolved (fixed in 12.0.32-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-68161 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-68161 [MEDIUM] CVE-2025-68161 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68161 :
Apache Solr vulnerability analysis and mitigation
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
The attacker is able to intercept or redirect network traffic between the client and the log receiver.
The attacker can present a server certificate is
Wiz
CVE-2026-1605 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-1605 [HIGH] CVE-2026-1605 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1605 :
Java vulnerability analysis and mitigation
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.
This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Java
Jenkins
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Expl
Wiz
CVE-2025-22234 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2025-22234 [LOW] CVE-2025-22234 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22234 :
Jenkins vulnerability analysis and mitigation
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Jenkins
Spring Security
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
org.springframework.security:spring-security-core
jenkins
Sources
NVD
Maven Severity MEDIUM Has Fix Ad
Bugzilla
CVE-2026-1605 org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests
bugzilla·2026-03-05·CVSS 7.5
CVE-2026-1605 [HIGH] CVE-2026-1605 org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests
CVE-2026-1605 org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.
This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Discussion:
This issue has been addressed in the following products:
Red Hat AMQ Broker 7.14.0
Via RHSA-2026:8509 https://access.redhat.com/errat
https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7fhttps://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/errata/RHSA-2026:25089https://access.redhat.com/errata/RHSA-2026:25125https://access.redhat.com/errata/RHSA-2026:25126https://access.redhat.com/errata/RHSA-2026:8509https://access.redhat.com/security/cve/CVE-2026-1605https://bugzilla.redhat.com/show_bug.cgi?id=2444815https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1605.json
2026-03-05
Published