Skip to main content

Whistle CVE-2026-55629

| EUVDEUVD-2026-45030 HIGH
Path Traversal (CWE-22)
2026-07-16 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable endpoint, no auth or user interaction, and a simple traversal parameter give AV:N/AC:L/PR:N/UI:N; arbitrary file read yields C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:15 vuln.today
Analysis Generated
Jul 16, 2026 - 20:15 vuln.today
CVE Published
Jul 16, 2026 - 19:12 cve.org
HIGH 8.7

DescriptionCVE.org

Whistle is an HTTP, HTTP2, HTTPS, and WebSocket debugging proxy. Prior to 2.10.3, lib/service/service.js handles GET /cgi-bin/temp/get by reading req.query.filename, joining it to TEMP_FILES_PATH only when it matches the temporary file pattern, and otherwise passing the user-supplied filename directly to getFile, allowing a remote attacker to read arbitrary files such as /etc/passwd. This issue is reported as fixed in version 2.10.3.

AnalysisAI

Arbitrary file read in the Whistle debugging proxy (avwo/whistle) before 2.10.3 lets remote attackers retrieve any file on the host by abusing the GET /cgi-bin/temp/get endpoint. Because lib/service/service.js only sanitizes req.query.filename when it matches the temporary-file pattern and otherwise hands the raw filename to getFile, a value like ../../../../etc/passwd escapes TEMP_FILES_PATH and is served back. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed Whistle proxy port
Delivery
Send GET /cgi-bin/temp/get with traversal filename
Exploit
Filename bypasses temp-file pattern check
Execution
getFile reads path outside temp dir
Impact
Exfiltrate /etc/passwd or secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Whistle HTTP service and the ability to send a request to the GET /cgi-bin/temp/get endpoint with a crafted req.query.filename that does NOT match the expected temporary-file naming pattern (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to a genuine, easily exploitable information-disclosure bug, though not an urgent mass-exploitation event. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a network-exposed Whistle instance sends GET /cgi-bin/temp/get?filename=../../../../../../etc/passwd; because the filename does not match the temporary-file pattern, it is passed straight to getFile and the server returns the file contents. The same technique reads application config files, credentials, TLS keys, or SSH keys within the Whistle process user's reach. …
Remediation Vendor-released patch: 2.10.3 - upgrade Whistle to version 2.10.3 or later (for example, npm install -g whistle@latest or pin whistle@2.10.3), per advisory GHSA-3vfr-4gwf-qxfp (https://github.com/avwo/whistle/security/advisories/GHSA-3vfr-4gwf-qxfp) and release https://github.com/avwo/whistle/releases/tag/v2.10.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Whistle deployments and identify versions prior to 2.10.3; disable inbound network access to affected instances if they are internet-facing or accessible from untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy