Description
WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.
Published: 2026-06-22
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WebP Server Go versions prior to 0.15.0 contain a path traversal flaw on Windows that allows unauthenticated attackers to read arbitrary files outside the configured image directory. The vulnerability stems from the server’s path handling, which accepts percent‑encoded backslashes (%5C) and does not correctly normalize them against Windows file system APIs that treat backslashes and forward slashes identically. As a result, attackers can bypass the path.Clean() sanitization in handler/router.go and retrieve sensitive files accessible to the server process. The flaw provides a high‑severity risk to confidentiality, with a CVSS score of 8.7.

Affected Systems

Vendors: webp-sh, Product: webp_server_go. Affected versions: all releases older than 0.15.0, notably 0.14.4 and earlier. The vulnerability is tied to Windows deployments where the IMG_PATH setting is used to store image resources.

Risk and Exploitability

The flaw is highly exploitable because it requires only an unauthenticated HTTP request containing a specially crafted URL. While the EPSS score is not available, the lack of mitigation and the broad access to files elevate the risk. The vulnerability is not listed in the CISA KEV catalog, but its high CVSS score indicates significant potential impact. Attackers can exploit the path discrepancy by sending requests with homographs of backslashes to traverse directories and read any host files the web server process can access.

Generated by OpenCVE AI on June 22, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade webp-server-go to version 0.15.0 or later, which removes the backslash handling flaw.
  • If an upgrade is not immediately possible, configure the server or reverse proxy to reject or normalize URLs containing percent‑encoded backslashes, effectively blocking traversal attempts.
  • Set a restrictive IMG_PATH that points to a dedicated directory with minimal permissions, and enforce least‑privilege ownership on the file system so that the server process cannot read sensitive data.

Generated by OpenCVE AI on June 22, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.
Title WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T18:23:07.076Z

Reserved: 2026-06-10T20:14:32.826Z

Link: CVE-2026-53779

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T19:30:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')