CVE-2026-53779

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

Vulnerability Details

Published Date

June 22, 2026

Last Modified

June 22, 2026

CWE ID

CWE-22

Source

NVD

Vendor

webp-sh

Product

webp_server_go

External References

https://github.com/webp-sh/webp_server_go/commit/eb3b5f9289b331cb639cd610b0d1c532d2cc24e0
https://github.com/webp-sh/webp_server_go/pull/451
https://www.vulncheck.com/advisories/webp-server-go-path-traversal-via-backslash-encoding-on-windows

CVE-2026-53779

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment