Description
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
Published: 2026-07-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

Vendor Workaround

It is possible to contruct successful attack vector if and only if customer or client is using embedded Undertow and Jastow together in their application and the following conditions are met: * Undertow was configured with UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL set to 'true' value * DeploymentInfo configured with setEscapeErrorMessage(true) method was passed to Undertow's Servlet Container instance

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 07 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el10
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
References

Tue, 07 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.
Title Jastow: jastow cross-site scripting attack due to unsanitized uri
First Time appeared Redhat
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-79
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}


Subscriptions

Redhat Jboss Enterprise Application Platform Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T00:00:08.461Z

Reserved: 2025-11-06T11:15:12.378Z

Link: CVE-2025-12799

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-07T00:00:00Z

Links: CVE-2025-12799 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T04:30:05Z

Weaknesses