CVE-2026-1605
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.List of 626 websites affected by CVE-2026-1605
The domain names are hidden due to the sensitivity of the data. Please click on the "Contact us" button above to get more information.
| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.******.edu |  United States | *** | |
| *******.no |  Norway | *,*** | |
| **.**********.com | United States | **,*** | |
| ********.com | United States | **,*** | |
| **********.****.edu | United States | **,*** | |
| *****.**.edu | United States | ***,*** | |
| ****.****.edu | United States | ***,*** | |
| *****.***********.org | United States | ***,*** | |
| ***.**********.com | United States | ***,*** | |
| ********.*******.com | United States | ***,*** | |
| *****.**.edu | United States | ***,*** | |
| ********.org |  Singapore | ***,*** | |
| ***.***.se |  European Union | ***,*** | |
| ****.**.****.net |  Netherlands | ***,*** | |
| **********.***.edu | United States | ***,*** | |
| ****.**.se |  Sweden | ***,*** | |
| **********************.cz | United States | ***,*** | |
| *****.****.net | Netherlands | ***,*** | |
| ********.de | United States | ***,*** | |
| **.*******.io | United States | ***,*** |