Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network request triggers arbitrary file read on Windows hosts (AV:N/AC:L/PR:N/UI:N); confidentiality only (C:H, I:N, A:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.
AnalysisAI
Arbitrary file read in WebP Server Go through 0.14.4 on Windows deployments allows unauthenticated remote attackers to retrieve files outside the configured IMG_PATH by sending HTTP requests containing percent-encoded backslashes (%5C), bypassing the path.Clean() sanitization in handler/router.go. The flaw is platform-specific to Windows hosts because Go normalizes only forward slashes while the Windows file API treats backslashes equivalently; no public exploit identified at time of analysis, though VulnCheck has published an advisory and an upstream fix is merged in 0.15.0.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the WebP Server Go binary (≤0.14.4) to be running on a Windows host and reachable by the attacker over HTTP; no authentication, user interaction, or non-default configuration is needed beyond standard service exposure. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 base score is 8.7 (High) with AV:N/AC:L/AT:N/PR:N/UI:N and VC:H/VI:N/VA:N, accurately reflecting an unauthenticated network-reachable arbitrary read with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-exposed WebP Server Go instance running on Windows (e.g., via Shodan banner) and issues a single HTTP GET such as 'GET /..%5C..%5C..%5CWindows%5Cwin.ini' against the image-serving endpoint. The %5C bytes pass through path.Clean() unaltered, the Windows file API resolves the backslashes as separators, and the server returns the requested file content to the unauthenticated client, enabling theft of configuration files, credentials, or source code accessible to the service account. |
| Remediation | Vendor-released patch: upgrade to WebP Server Go 0.15.0 or later, which corrects the path normalization in handler/router.go (fix commit eb3b5f9289b331cb639cd610b0d1c532d2cc24e0, merged via PR #451). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Scan infrastructure to identify all Windows systems running WebP Server Go and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38340
GHSA-pv77-wrq6-gq73