Home

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read. An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files. This issue affects wisp: from 2.1.1 before 2.2.1.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-10 | Updated 2026-04-06 | Assigner EEF




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

2.1.1 (semver) before 2.2.1
affected

Default status
unaffected

129dcb1fe10ab1e676145d91477535e1c90ab550 (git) before 161118c431047f7ef1ff7cabfcc38981877fdd93
affected

Credits

John Downey finder

Louis Pilfold remediation developer

References

github.com/...p/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r vendor-advisory related

cna.erlef.org/cves/CVE-2026-28807.html related

osv.dev/vulnerability/EEF-CVE-2026-28807 related

github.com/...ommit/161118c431047f7ef1ff7cabfcc38981877fdd93 patch

cve.org (CVE-2026-28807)

nvd.nist.gov (CVE-2026-28807)

Download JSON