CVE-2026-53779

HIGH

WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows

Title source: cna
STIX 2.1

Description

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

Scores

CVSS v3 7.5
EPSS 0.0041
EPSS Percentile 32.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (1)
webp-sh/webp_server_go < 0.15.0
Published Jun 22, 2026
Tracked Since Jun 23, 2026