CVE-2026-53779
WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.
| CWE | CWE-22 |
| Vendor | webp-sh |
| Product | webp_server_go |
| Published | Jun 22, 2026 |
| Last Updated | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for webp-sh webp_server_go
Be the first to know when new high vulnerabilities affecting webp-sh webp_server_go are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
webp-sh / webp_server_go
0 < 0.15.0
References
Credits
๐ Katriel Moses