CVE-2026-28807

216.73.217.22

· Published 10/03/2026 22:16 · Modified 11/03/2026 13:52

Labels: CVE-2026-28807 2026-03-10 6b3ad84c-e1a6-4bf7-a703-f496b71e49db CVE-2026-28807 CWE-22

Essential information

Published: 10/03/2026 22:16
Modified: 11/03/2026 13:52
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read. An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files. This issue affects wisp: from 2.1.1 before 2.2.1.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
NVD: View on NVD

Affected products (CPE)

Product	CPE
gleam / wisp	`cpe:2.3:a:gleam:wisp:[2.1.1,2.2.1):::::::*`