{"id":"CVE-2026-28807","details":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1.","aliases":["EEF-CVE-2026-28807","GHSA-h7cj-j2vv-qw8r"],"modified":"2026-03-14T08:46:03.360535Z","published":"2026-03-10T22:16:18.640Z","references":[{"type":"ADVISORY","url":"https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"},{"type":"FIX","url":"https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gleam-wisp/wisp","events":[{"introduced":"49208beb40325811a247b85d84b7dbe57e42913d"},{"fixed":"987d3641fa038f749f68621a87b5e9a42ee9ef83"},{"fixed":"161118c431047f7ef1ff7cabfcc38981877fdd93"}],"database_specific":{"versions":[{"introduced":"2.1.1"},{"fixed":"2.2.1"}]}}],"versions":["v2.1.1","v2.2.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"string.replace"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28807.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}