Find a vulnerability
Search criteria
Related vulnerabilities
GHSA-WXQ4-CC2Q-338Q
Vulnerability from github – Published: 2026-06-11 20:28 – Updated: 2026-06-11 20:28Impact
WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.
Patches
The issue is fixed with version 4.3.4.
Preconditions
The practical impact depends on the deployment.
The deployment uses a filesystem-backed WsgiDAV share.
The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.
Details
The issue is in FilesystemProvider._loc_to_file_path(). The method builds a candidate path with os.path.abspath(os.path.join(root_path, *path_parts)), then checks containment with file_path.startswith(root_path). This is not path-boundary aware. For example, if the configured share root is /tmp/share, a resolved sibling path such as /tmp/share_evil/secret.txt still starts with the string /tmp/share.
In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.
The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used /%2e%2e/..., which wsgiref passed through as /../....
A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as /tmp/share and /tmp/share_evil.
The WsgiDAV process has OS permissions for the outside path.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3.3"
},
"package": {
"ecosystem": "PyPI",
"name": "wsgidav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48099"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T20:28:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nWsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.\n\n### Patches\nThe issue is fixed with version 4.3.4.\n\n### Preconditions\n\nThe practical impact depends on the deployment.\n\nThe deployment uses a filesystem-backed WsgiDAV share.\n\nThe attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.\n\n### Details\n\nThe issue is in `FilesystemProvider._loc_to_file_path()`. The method builds a candidate path with `os.path.abspath(os.path.join(root_path, *path_parts))`, then checks containment with `file_path.startswith(root_path)`. This is not path-boundary aware. For example, if the configured share root is `/tmp/share`, a resolved sibling path such as `/tmp/share_evil/secret.txt` still starts with the string `/tmp/share`.\n\nIn a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.\n\nThe WSGI/server layer forwards the encoded dot segment to WsgiDAV\u0027s PATH_INFO. The local proof used `/%2e%2e/...`, which wsgiref passed through as `/../...`.\n\nA sibling or neighboring path exists whose absolute path starts with the configured root path string, such as `/tmp/share` and `/tmp/share_evil`.\n\nThe WsgiDAV process has OS permissions for the outside path.",
"id": "GHSA-wxq4-cc2q-338q",
"modified": "2026-06-11T20:28:45Z",
"published": "2026-06-11T20:28:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mar10/wsgidav/security/advisories/GHSA-wxq4-cc2q-338q"
},
{
"type": "WEB",
"url": "https://github.com/mar10/wsgidav/commit/f894ed8656d7bdd7438ab8148c5a02546cb15183"
},
{
"type": "PACKAGE",
"url": "https://github.com/mar10/wsgidav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "WsgiDAV encoded dot segments can escape filesystem share roots"
}
PYSEC-2026-3428
Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:07Impact
WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.
Patches
The issue is fixed with version 4.3.4.
Preconditions
The practical impact depends on the deployment.
The deployment uses a filesystem-backed WsgiDAV share.
The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.
Details
The issue is in FilesystemProvider._loc_to_file_path(). The method builds a candidate path with os.path.abspath(os.path.join(root_path, *path_parts)), then checks containment with file_path.startswith(root_path). This is not path-boundary aware. For example, if the configured share root is /tmp/share, a resolved sibling path such as /tmp/share_evil/secret.txt still starts with the string /tmp/share.
In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.
The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used /%2e%2e/..., which wsgiref passed through as /../....
A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as /tmp/share and /tmp/share_evil.
The WsgiDAV process has OS permissions for the outside path.
| Name | purl | wsgidav | pkg:pypi/wsgidav |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wsgidav",
"purl": "pkg:pypi/wsgidav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.4.0b1",
"0.4.0b2",
"0.5.0",
"1.0.0",
"1.1.0",
"1.2.0",
"1.3.0",
"2.0.0",
"2.0.1",
"2.1.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.3.0",
"2.4.0",
"2.4.1",
"3.0.0",
"3.0.0a1",
"3.0.0a2",
"3.0.0a3",
"3.0.0a4",
"3.0.0a5",
"3.0.0a6",
"3.0.0a7",
"3.0.1",
"3.0.2",
"3.0.3",
"3.0.5a2",
"3.0.5a3",
"3.1.0",
"3.1.1",
"4.0.0",
"4.0.0a2",
"4.0.1",
"4.0.2",
"4.1.0",
"4.2.0",
"4.3.0",
"4.3.1",
"4.3.2",
"4.3.3"
]
}
],
"aliases": [
"CVE-2026-48099",
"GHSA-wxq4-cc2q-338q"
],
"details": "### Impact\nWsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.\n\n### Patches\nThe issue is fixed with version 4.3.4.\n\n### Preconditions\n\nThe practical impact depends on the deployment.\n\nThe deployment uses a filesystem-backed WsgiDAV share.\n\nThe attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.\n\n### Details\n\nThe issue is in `FilesystemProvider._loc_to_file_path()`. The method builds a candidate path with `os.path.abspath(os.path.join(root_path, *path_parts))`, then checks containment with `file_path.startswith(root_path)`. This is not path-boundary aware. For example, if the configured share root is `/tmp/share`, a resolved sibling path such as `/tmp/share_evil/secret.txt` still starts with the string `/tmp/share`.\n\nIn a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.\n\nThe WSGI/server layer forwards the encoded dot segment to WsgiDAV\u0027s PATH_INFO. The local proof used `/%2e%2e/...`, which wsgiref passed through as `/../...`.\n\nA sibling or neighboring path exists whose absolute path starts with the configured root path string, such as `/tmp/share` and `/tmp/share_evil`.\n\nThe WsgiDAV process has OS permissions for the outside path.",
"id": "PYSEC-2026-3428",
"modified": "2026-07-13T16:07:34.248435Z",
"published": "2026-07-13T15:46:16.868348Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mar10/wsgidav/security/advisories/GHSA-wxq4-cc2q-338q"
},
{
"type": "WEB",
"url": "https://github.com/mar10/wsgidav/commit/f894ed8656d7bdd7438ab8148c5a02546cb15183"
},
{
"type": "PACKAGE",
"url": "https://github.com/mar10/wsgidav"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/wsgidav"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-wxq4-cc2q-338q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48099"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "WsgiDAV encoded dot segments can escape filesystem share roots"
}