WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

AI Analysis

Path traversal vulnerability in WebP Server Go on Windows via backslash encoding

Basic Information

ID CVE-2026-53779

Source VulnCheck

Published Jun 22, 2026 at 18:22

Modified Jun 22, 2026 at 18:23

Affected Product

Vendor webp-sh

Product webp_server_go

Affected Versions webp-sh webp_server_go 0

CWE Classification

CWE-22

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor webp-sh

Product WebP Server Go

Version 0.14.4

References

{
    "lastseen": "",
    "description": "WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.",
    "published": "2026-06-22T18:22:40.698Z",
    "modified": "2026-06-22T18:23:07.076Z",
    "type": "cve",
    "title": "WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows",
    "source": "VulnCheck",
    "references": "https://github.com/webp-sh/webp_server_go/pull/451\nhttps://github.com/webp-sh/webp_server_go/commit/eb3b5f9289b331cb639cd610b0d1c532d2cc24e0\nhttps://www.vulncheck.com/advisories/webp-server-go-path-traversal-via-backslash-encoding-on-windows",
    "id": "CVE-2026-53779",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "webp-sh webp_server_go 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "webp_server_go",
    "version": "0",
    "vendor": "webp-sh",
    "ai_description": "Path traversal vulnerability in WebP Server Go on Windows via backslash encoding",
    "ai_severity": "High",
    "ai_vendor": "webp-sh",
    "ai_product": "WebP Server Go",
    "ai_version": "0.14.4",
    "ai_score": 8.7
}

WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows_CVE-2026-53779