{"id":"EEF-CVE-2026-28807","summary":"Path Traversal in wisp.serve_static allows arbitrary file read","details":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1.","aliases":["CVE-2026-28807","GHSA-h7cj-j2vv-qw8r"],"modified":"2026-04-06T17:01:38.860998Z","published":"2026-03-10T21:34:47.859Z","database_specific":{"cwe_ids":["CWE-22"],"cpe_ids":["cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"],"capec_ids":["CAPEC-139"]},"references":[{"type":"ADVISORY","url":"https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-28807.html"},{"type":"FIX","url":"https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"},{"type":"PACKAGE","url":"https://hex.pm/packages/wisp"}],"affected":[{"package":{"name":"wisp","ecosystem":"Hex","purl":"pkg:hex/wisp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.1.1"},{"fixed":"2.2.1"}]}],"versions":["2.1.1","2.2.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-28807.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/gleam-wisp/wisp.git","events":[{"introduced":"129dcb1fe10ab1e676145d91477535e1c90ab550"},{"fixed":"161118c431047f7ef1ff7cabfcc38981877fdd93"}]}],"versions":["v2.1.1","v2.2.0","v2.2.1"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-28807.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}],"credits":[{"name":"John Downey","type":"FINDER"},{"name":"Louis Pilfold","type":"REMEDIATION_DEVELOPER"}]}