Skip to main content

WebP Server Go CVE-2026-53779

| EUVDEUVD-2026-38340 HIGH
Path Traversal (CWE-22)
2026-06-22 VulnCheck GHSA-pv77-wrq6-gq73
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network request triggers arbitrary file read on Windows hosts (AV:N/AC:L/PR:N/UI:N); confidentiality only (C:H, I:N, A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 19:02 vuln.today
Analysis Generated
Jun 22, 2026 - 19:02 vuln.today
CVE Published
Jun 22, 2026 - 18:22 cve.org
HIGH 8.7

DescriptionCVE.org

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

AnalysisAI

Arbitrary file read in WebP Server Go through 0.14.4 on Windows deployments allows unauthenticated remote attackers to retrieve files outside the configured IMG_PATH by sending HTTP requests containing percent-encoded backslashes (%5C), bypassing the path.Clean() sanitization in handler/router.go. The flaw is platform-specific to Windows hosts because Go normalizes only forward slashes while the Windows file API treats backslashes equivalently; no public exploit identified at time of analysis, though VulnCheck has published an advisory and an upstream fix is merged in 0.15.0.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Windows-hosted WebP Server Go instance
Delivery
Craft URL with %5C-encoded traversal sequence
Exploit
Send unauthenticated HTTP GET to image endpoint
Install
Bypass path.Clean() via backslash encoding
C2
Windows API resolves backslash as separator
Execute
Read arbitrary file accessible to service account
Impact
Exfiltrate sensitive content

Vulnerability AssessmentAI

Exploitation Exploitation requires the WebP Server Go binary (≤0.14.4) to be running on a Windows host and reachable by the attacker over HTTP; no authentication, user interaction, or non-default configuration is needed beyond standard service exposure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 base score is 8.7 (High) with AV:N/AC:L/AT:N/PR:N/UI:N and VC:H/VI:N/VA:N, accurately reflecting an unauthenticated network-reachable arbitrary read with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed WebP Server Go instance running on Windows (e.g., via Shodan banner) and issues a single HTTP GET such as 'GET /..%5C..%5C..%5CWindows%5Cwin.ini' against the image-serving endpoint. The %5C bytes pass through path.Clean() unaltered, the Windows file API resolves the backslashes as separators, and the server returns the requested file content to the unauthenticated client, enabling theft of configuration files, credentials, or source code accessible to the service account.
Remediation Vendor-released patch: upgrade to WebP Server Go 0.15.0 or later, which corrects the path normalization in handler/router.go (fix commit eb3b5f9289b331cb639cd610b0d1c532d2cc24e0, merged via PR #451). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Scan infrastructure to identify all Windows systems running WebP Server Go and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy