CVE-2026-53779
HIGHWebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows
Title source: cnaDescription
WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.
References (3)
Core 3
Core References
Patch patch
Patch Commit
https://github.com/webp-sh/webp_server_go/commit/eb3b5f9289b331cb639cd610b0d1c532d2cc24e0
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/webp-server-go-path-traversal-via-backslash-encoding-on-windows
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
32.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
webp-sh/webp_server_go
< 0.15.0
Published
Jun 22, 2026
Tracked Since
Jun 23, 2026