Visit Jetty Home Page
Release Notes
Complete Changelog for NES for Jetty
9 Patched Vulnerabilities
VEX Statements
Jetty 9.4.x
9.4.59 (NES) - 2026-03-05
Security Fixes
- Fixed improper input validation in jetty-http where malformed URIs were parsed differently than other common parsers, potentially allowing blocklist bypass in multi-component systems (CVE-2025-11143).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
9.4.58.
Full Version: 9.4.59
9.4.60 (NES) - 2026-03-06
Security Fixes
- HTTP Request Smuggling via Chunked Extension Quoted-String Parsing (CVE-2026-2332).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
9.4.58.
Full Version: 9.4.60
9.4.61 (NES) - 2026-04-10
Security Fixes
- JASPI access control escalation (CVE-2026-5795).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
9.4.58.
Full Version: 9.4.61
Jetty 10.0.x
10.0.27 (NES) - 2026-03-05
Security Fixes
- Fixed improper input validation in jetty-http where malformed URIs were parsed differently than other common parsers, potentially allowing blocklist bypass in multi-component systems (CVE-2025-11143).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
10.0.26.
Full Version: 10.0.27
10.0.28 (NES) - 2026-03-06
Security Fixes
- HTTP Request Smuggling via Chunked Extension Quoted-String Parsing (CVE-2026-2332).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
10.0.26.
Full Version: 10.0.28
10.0.29 (NES) - 2026-04-10
Security Fixes
- JASPI access control escalation (CVE-2026-5795).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
10.0.26.
Full Version: 10.0.29
Jetty 11.0.x
11.0.27 (NES) - 2026-03-05
Security Fixes
- Fixed improper input validation in jetty-http where malformed URIs were parsed differently than other common parsers, potentially allowing blocklist bypass in multi-component systems (CVE-2025-11143).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
11.0.26.
Full Version: 11.0.27
11.0.28 (NES) - 2026-03-06
Security Fixes
- HTTP Request Smuggling via Chunked Extension Quoted-String Parsing (CVE-2026-2332).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
11.0.26.
Full Version: 11.0.28
11.0.29 (NES) - 2026-04-10
Security Fixes
- JASPI access control escalation (CVE-2026-5795).
Notes
- This release originates from the open-source Eclipse Jetty by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Jetty
11.0.26.
Full Version: 11.0.29