CVE-2026-53779 | WebP Server Go through 0.14.4 contains a path traversal vuln… | CVSS 7.5 HIGH

Description

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

Metadata

CVE ID: CVE-2026-53779
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 20:14 UTC
Published: 2026-06-22 18:22 UTC
Last updated: 2026-06-22 18:23 UTC
Primary CWE: CWE-22
Improper Limitation of a Pathname to a Restricted Directory …
Vendor / Product: webp-sh / webp_server_go
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
webp-sh	webp_server_go	—	0 < 0.15.0

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)