What is the CVSS score of CVE-2026-25766?

CVE-2026-25766 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Windows are affected by CVE-2026-25766?

Organizations using versions 5.0.0 should be aware of moderate risk from CVE-2026-25766, a path traversal vulnerability rated CVSS 5.3. This could allow unauthorized file access.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25766?

Yes, a public proof-of-concept exploit is available for CVE-2026-25766. Prioritise patching immediately. EPSS: 0.0%.

Windows CVE-2026-25766

MEDIUM

Path Traversal (CWE-22)

2026-02-19 security-advisories@github.com

GHSA-pgvm-wxw2-hrv9

Windows Path Traversal Golang Echo Suse

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 23, 2026 - 20:17 vuln.today

Public exploit code

Patch released

Feb 23, 2026 - 20:17 nvd

Patch available

CVE Published

Feb 19, 2026 - 16:27 nvd

MEDIUM 5.3

DescriptionNVD

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and normalized with path.Clean (URL semantics). path.Clean does not treat \ as a path separator, so ..\ sequences remain in the cleaned path. The resulting path is then passed to currentFS.Open(...). When the filesystem is left at the default (nil), Echo uses defaultFS which calls os.Open (echo.go:792). On Windows, os.Open treats \ as a path separator and resolves ..\, allowing traversal outside the static root. Version 5.0.3 fixes the issue.

AnalysisAI

Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outside the static root directory and access arbitrary files via backslash path sequences in requests. The vulnerability stems from improper path normalization where path.Clean() does not treat backslashes as separators, but the underlying os.Open() call on Windows does, enabling directory traversal. …

RemediationAI

Within 30 days: Identify affected systems running versions 5.0.0 and apply vendor patches as part of regular patch cycle. Review file handling controls.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-25766 vulnerability details – vuln.today

Back

Windows CVE-2026-25766

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code