{"affected":[{"package":{"ecosystem":"Hex","name":"wisp","purl":"pkg:hex/wisp"},"ranges":[{"events":[{"introduced":"2.1.1"},{"fixed":"2.2.1"}],"type":"SEMVER"}],"versions":["2.1.1","2.2.0"]},{"ranges":[{"events":[{"introduced":"129dcb1fe10ab1e676145d91477535e1c90ab550"},{"fixed":"161118c431047f7ef1ff7cabfcc38981877fdd93"}],"repo":"https://github.com/gleam-wisp/wisp.git","type":"GIT"}]}],"aliases":["GHSA-h7cj-j2vv-qw8r","CVE-2026-28807"],"credits":[{"name":"John Downey","type":"FINDER"},{"name":"Louis Pilfold","type":"REMEDIATION_DEVELOPER"}],"database_specific":{"capec_ids":["CAPEC-139"],"cpe_ids":["cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-22"]},"details":"## Summary\n\nImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1.","id":"EEF-CVE-2026-28807","modified":"2026-04-06T16:44:07.589Z","published":"2026-03-10T21:34:47.859Z","references":[{"type":"ADVISORY","url":"https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-28807.html"},{"type":"FIX","url":"https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"},{"type":"PACKAGE","url":"https://hex.pm/packages/wisp"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Path Traversal in wisp.serve_static allows arbitrary file read","upstream":[]}