Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.

The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.

An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.

This issue affects wisp: from 2.1.1 before 2.2.1.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read via path traversal
Action: Patch Now
AI Analysis

Impact

The vulnerability is a Path Traversal flaw in the wisp.serve_static handler. The code performs string replacement before percent-decoding, so an encoded '..' (for example, %2e%2e) passes through unchanged and is decoded to .., allowing the operating system to interpret it as a directory traversal. This flaw allows an unauthenticated attacker to read any file that the application process can access in a single HTTP request, including source code, configuration files, secrets, and system files.

Affected Systems

Affected products are the Gleam‑Wisp wisp web framework for all versions from 2.1.1 up to, but not including, 2.2.1. Applications built with these versions that use the default serve_static component are vulnerable.

Risk and Exploitability

The CVSS base score is 8.7, indicating a high severity risk. The EPSS score is below 1%, suggesting a low probability of exploitation observed in the wild at the time of publication. The vulnerability is not listed in the CISA KEV catalog, so no proof of exploitation is publicly known. The flaw can be exploited remotely over HTTP with no authentication; an attacker can target any readable file in the application’s scope by crafting an HTTP request containing a percent‑encoded traversal sequence. Because access is based on the privileges of the application process, the compromise can be more extensive in deployments where the process runs with elevated rights.

Generated by OpenCVE AI on April 15, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wisp to version 2.2.1 or later, which corrects the sanitization order and prevents path traversal.
  • If an update is not immediately possible, disable the serve_static component or replace it with a secure static file handler that validates paths after percent-decoding.
  • Apply additional file‑system access controls so the application process has only the minimal permissions required.

Generated by OpenCVE AI on April 15, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h7cj-j2vv-qw8r Wisp Vulnerable to Path Traversal
History

Wed, 27 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read. An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files. This issue affects wisp: from 2.1.1 before 2.2.1.
Title Path Traversal in wisp.serve_static allows arbitrary file read
First Time appeared Gleam-wisp
Gleam-wisp wisp
Weaknesses CWE-22
CPEs cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*
Vendors & Products Gleam-wisp
Gleam-wisp wisp
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gleam-wisp Wisp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-06T16:44:07.589Z

Reserved: 2026-03-03T14:40:00.590Z

Link: CVE-2026-28807

cve-icon Vulnrichment

Updated: 2026-03-11T14:20:53.092Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:18.640

Modified: 2026-05-27T13:45:05.160

Link: CVE-2026-28807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses