CVE-2026-53779

Sažetak

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

Reference

https://github.com/webp-sh/webp_server_go/commit/eb3b5f9289b331cb639cd610b0d1c532d2cc24e0
https://github.com/webp-sh/webp_server_go/pull/451
https://www.vulncheck.com/advisories/webp-server-go-path-traversal-via-backslash-encoding-on-windows

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

23-06-2026 - 15:42

Objavljeno

22-06-2026 - 19:17