{"id":"PYSEC-2026-918","summary":"sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs","details":"### Impact\nAccess to lateral directories when using `app.static` if using encoded `%2F` URLs. Parent directory traversal is not impacted.\n\n### Patches\n- v20.12.7 (LTS)\n- v21.12.2 (LTS)\n- v22.6.1\n\n### References\nhttps://github.com/sanic-org/sanic/issues/2478\nhttps://github.com/sanic-org/sanic/pull/2495\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the community forums](https://community.sanicframework.org/)\n* Ping us on [the Discord server](https://discord.gg/FARQzAEMAA)\n\n","aliases":["CVE-2022-35920","GHSA-8cw9-5hmv-77w6"],"modified":"2026-07-07T11:45:50.826682501Z","published":"2026-07-06T08:03:31.763289Z","references":[{"type":"WEB","url":"https://github.com/sanic-org/sanic/security/advisories/GHSA-8cw9-5hmv-77w6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35920"},{"type":"WEB","url":"https://github.com/sanic-org/sanic/issues/2478"},{"type":"WEB","url":"https://github.com/sanic-org/sanic/pull/2495"},{"type":"PACKAGE","url":"https://github.com/sanic-org/sanic"},{"type":"PACKAGE","url":"https://pypi.org/project/sanic"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8cw9-5hmv-77w6"}],"affected":[{"package":{"name":"sanic","ecosystem":"PyPI","purl":"pkg:pypi/sanic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.12.7"},{"introduced":"22.0.0"},{"fixed":"22.6.1"},{"introduced":"21.0.0"},{"fixed":"21.12.2"}]}],"versions":["0.1.0","0.1.1","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.3.0","0.3.1","0.4.0","0.4.1","0.5.0","0.5.1","0.5.2","0.5.4","0.6.0","0.7.0","0.8.0","0.8.1","0.8.2","0.8.3","18.12.0","19.12.0","19.12.2","19.12.3","19.12.4","19.12.5","19.3.1","19.6.0","19.6.2","19.6.3","19.9.0","20.12.0","20.12.1","20.12.2","20.12.3","20.12.4","20.12.5","20.12.6","20.3.0","20.6.0","20.6.1","20.6.2","20.6.3","20.9.0","20.9.1","21.12.0","21.12.1","21.3.0","21.3.1","21.3.2","21.3.4","21.6.0","21.6.1","21.6.2","21.9.0","21.9.1","21.9.2","21.9.3","22.3.0","22.3.1","22.3.2","22.6.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/sanic/PYSEC-2026-918.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}]}