Skip to main content

Whistle

1 CVEs product

Monthly

CVE-2026-55629 HIGH PATCH This Week

Arbitrary file read in the Whistle debugging proxy (avwo/whistle) before 2.10.3 lets remote attackers retrieve any file on the host by abusing the GET /cgi-bin/temp/get endpoint. Because lib/service/service.js only sanitizes req.query.filename when it matches the temporary-file pattern and otherwise hands the raw filename to getFile, a value like ../../../../etc/passwd escapes TEMP_FILES_PATH and is served back. The CVSS 4.0 score is 8.7 (high) with a confidentiality-only impact; there is no public exploit identified at time of analysis, and the flaw is fixed in 2.10.3.

Path Traversal Whistle
NVD GitHub
CVSS 4.0
8.7
CVSS 8.7
HIGH PATCH This Week

Arbitrary file read in the Whistle debugging proxy (avwo/whistle) before 2.10.3 lets remote attackers retrieve any file on the host by abusing the GET /cgi-bin/temp/get endpoint. Because lib/service/service.js only sanitizes req.query.filename when it matches the temporary-file pattern and otherwise hands the raw filename to getFile, a value like ../../../../etc/passwd escapes TEMP_FILES_PATH and is served back. The CVSS 4.0 score is 8.7 (high) with a confidentiality-only impact; there is no public exploit identified at time of analysis, and the flaw is fixed in 2.10.3.

Path Traversal Whistle
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy