CVE-2026-28807

Path Traversal in wisp.serve_static allows arbitrary file read

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-22 — CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

• CAPEC-139 — CAPEC-139 Relative Path Traversal

CVSS 4.0 Score

8.7

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.

The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.

An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.

This issue affects wisp: from 2.1.1 before 2.2.1.

Affected

pkg:hex/wisp

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	2.1.1	< 2.2.1

pkg:github/gleam-wisp/wisp

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	129dcb1fe10a	< 161118c43104

References

• https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r vendor-advisory
• https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93 patch

Credits

• Finder: John Downey
• Remediation developer: Louis Pilfold

CVE record as JSON:  GET /cves/CVE-2026-28807.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-28807.json