CVE-2026-28807
Analyzed Analyzed - Analysis Complete

Path Traversal in gleam-wisp wisp Allows Arbitrary File Read

Vulnerability report for CVE-2026-28807, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-10

Last updated on: 2026-05-27

Assigner: EEF

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read. An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files. This issue affects wisp: from 2.1.1 before 2.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-10
Last Modified
2026-05-27
Generated
2026-07-06
AI Q&A
2026-03-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gleam-wisp wisp From 2.1.1 (inc) to 2.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Path Traversal issue in the gleam-wisp wisp software. It occurs because the function responsible for serving static files sanitizes the file path before decoding percent-encoded characters. Specifically, the encoded sequence %2e%2e (which represents "..") bypasses the sanitization step and is later decoded to "..", allowing an attacker to traverse directories on the server.

As a result, an unauthenticated attacker can craft a single HTTP request that reads arbitrary files accessible by the application process, including sensitive files such as source code, configuration files, secrets, and system files.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to read any file that the application process has permission to access without authentication.

  • Exposure of application source code, which could reveal business logic or other sensitive implementation details.
  • Disclosure of configuration files that may contain sensitive settings or credentials.
  • Access to secret files or system files, potentially leading to further exploitation or system compromise.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart