Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read. An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files. This issue affects wisp: from 2.1.1 before 2.2.1.

INFO

Published Date :

2026-03-10T21:34:47.859Z

Last Modified :

2026-04-06T16:44:07.589Z

Source :

EEF
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28807 vulnerability.

Vendors Products
Gleam-wisp
  • Wisp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28807.

URL Resource
https://cna.erlef.org/cves/CVE-2026-28807.html cve-icon cve-icon
https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93 cve-icon cve-icon
https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r cve-icon cve-icon
https://osv.dev/vulnerability/EEF-CVE-2026-28807 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability