EEF-CVE-2026-28807
- Source
- https://cna.erlef.org/osv/EEF-CVE-2026-28807.html
- Import Source
- https://cna.erlef.org/osv/EEF-CVE-2026-28807.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/EEF-CVE-2026-28807
- Aliases
- Published
- 2026-03-10T21:34:47.859Z
- Modified
- 2026-03-23T10:00:07.659045Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Path Traversal in wisp.serve_static allows arbitrary file read
- Details
-
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.
The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percentdecode converts it to .., which the OS resolves as directory traversal when the file is read.
An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.
This issue affects wisp: from 2.1.1 before 2.2.1.
- Database specific
{ "cwe_ids": [ "CWE-22" ], "capec_ids": [ "CAPEC-139" ], "cpe_ids": [ "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*" ] }- References
- Credits
-
-
- John Downey - FINDER
-
- Louis Pilfold - REMEDIATION_DEVELOPER
-
Affected packages
Hex / wisp
Package
- Name
- wisp
- Purl
- pkg:hex/wisp