๐Ÿ” CVE Alert

CVE-2026-55629

UNKNOWN 0.0

Whistle: Path traversal

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Whistle is an HTTP, HTTP2, HTTPS, and WebSocket debugging proxy. Prior to 2.10.3, lib/service/service.js handles GET /cgi-bin/temp/get by reading req.query.filename, joining it to TEMP_FILES_PATH only when it matches the temporary file pattern, and otherwise passing the user-supplied filename directly to getFile, allowing a remote attacker to read arbitrary files such as /etc/passwd. This issue is reported as fixed in version 2.10.3.

CWE CWE-22
Vendor avwo
Product whistle
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for avwo whistle

Be the first to know when new unknown vulnerabilities affecting avwo whistle are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

avwo / whistle
< 2.10.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/avwo/whistle/security/advisories/GHSA-3vfr-4gwf-qxfp github.com: https://github.com/avwo/whistle/commit/777bcf69bae2972aa7138a158c91619185653cf5 github.com: http://github.com/avwo/whistle/releases/tag/v2.10.3