CVE-2025-11966: 
Java vulnerability analysis and mitigation

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a stored cross-site scripting (XSS) vulnerability exists when directory listing is enabled. The vulnerability stems from improper escaping of file and directory names in the href, title, and link attributes of generated HTML (Eclipse Report, NVD).

The vulnerability occurs when directory listing functionality is enabled in the affected Vert.x versions. File and directory names are inserted into generated HTML without proper escaping in three specific attributes: href, title, and link. The vulnerability has been assigned a CVSS 4.0 Base Score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The weakness has been categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) (NVD).

When exploited, this vulnerability allows attackers who can create or rename files or directories within a served path to inject malicious script or HTML content. The injected content executes in the context of users viewing the affected directory listing, potentially leading to unauthorized access to user data or actions performed on behalf of the victim (NVD).

Users should upgrade to versions newer than 4.5.21 for the 4.x series or versions newer than 5.0.4 for the 5.x series. If immediate upgrading is not possible, it is recommended to disable directory listing functionality where not strictly necessary (Eclipse Report).