{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24469", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.546Z", "datePublished": "2026-01-24T01:50:24.473Z", "dateUpdated": "2026-01-26T16:17:09.316Z"}, "containers": {"cna": {"title": "C++ HTTP Server has Critical Path Traversal Vulnerability in RequestHandler Allowing Arbitrary File Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff"}], "affected": [{"vendor": "frustratedProton", "product": "http-server", "versions": [{"version": "<= 1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-24T01:50:24.473Z"}, "descriptions": [{"lang": "en", "value": "C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication."}], "source": {"advisory": "GHSA-qp54-6gfq-3gff", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T16:16:26.507706Z", "id": "CVE-2026-24469", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T16:17:09.316Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24469", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.546Z", "datePublished": "2026-01-24T01:50:24.473Z", "dateUpdated": "2026-01-26T16:17:09.316Z"}, "containers": {"cna": {"title": "C++ HTTP Server has Critical Path Traversal Vulnerability in RequestHandler Allowing Arbitrary File Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff"}], "affected": [{"vendor": "frustratedProton", "product": "http-server", "versions": [{"version": "<= 1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-24T01:50:24.473Z"}, "descriptions": [{"lang": "en", "value": "C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication."}], "source": {"advisory": "GHSA-qp54-6gfq-3gff", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24469", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T16:16:26.507706Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T16:16:32.174Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication."}, {"lang": "es", "value": "C++ HTTP Server es un servidor HTTP/1.1 dise\u00f1ado para manejar conexiones de clientes y servir solicitudes HTTP. Las versiones 1.0 e inferiores son vulnerables a salto de ruta a trav\u00e9s del m\u00e9todo RequestHandler::handleRequest. Esta falla permite a un atacante remoto no autenticado leer archivos arbitrarios del sistema de archivos del servidor al crear una solicitud HTTP GET maliciosa que contiene secuencias ../. La aplicaci\u00f3n no logra sanear la variable filename derivada de la ruta URL controlada por el usuario, concaten\u00e1ndola directamente a la ruta base files_directory y permitiendo el salto de ruta fuera de la ra\u00edz prevista. Ning\u00fan parche estaba disponible en el momento de la publicaci\u00f3n."}], "id": "CVE-2026-24469", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-24T03:16:01.150", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:56:54.722948+00:00", "value": {"mitigation_remediation": ["Block HTTP GET requests containing \"../\" segments using a web application firewall or reverse\u2011proxy rule to reject such patterns.", "Restrict inbound access to the http-server instance to trusted IP ranges, limiting unauthenticated exposure.", "Plan for an upgrade to a version newer than 1.0 once the vendor releases a patch; if an update is not feasible, consider placing the server in a sandboxed environment (e.g., chroot or container) to constrain filesystem visibility."], "summary": {"action": "Monitor", "impact": "Remote attacker can read arbitrary files through path traversal"}, "threat_synthesis": {"affected_systems": "The problem affects the open\u2011source http\u2011server project from frustratedProton, specifically all releases version 1.0 and earlier. Any deployment of these versions exposing the HTTP interface is vulnerable until a patch or mitigative change is applied.", "description_and_impact": "C++ HTTP Server accepts HTTP/1.1 requests and serves files from a configured directory. A flaw in RequestHandler::handleRequest fails to sanitize the filename derived from the URL path, allowing a malicious client to craft a GET request containing \"../\" sequences. The vulnerability is a classic directory traversal (CWE-22) that permits an unauthenticated, remote attacker to read any file on the server\u2019s filesystem beyond the intended root, potentially exposing configuration files, credentials, or sensitive data. The impact is confidentiality compromise by remote arbitrary file read.", "risk_and_exploitability": "The CVSS base score of 7.5 reflects high impact and medium exploitation difficulty; the EPSS score of less than 1% suggests that, at the moment, exploitation attempts are rare, and the vulnerability is not currently listed in the CISA KEV catalog. An attacker can trigger the flaw remotely without authentication by sending a crafted GET request that includes path\u2011traversal sequences. Success hinges on the server running an affected version and the network being accessible, so perimeter defenses and IP restrictions reduce the attack surface."}}}}, "created": "2026-01-26T11:48:43.542899+00:00", "updated": "2026-04-18T03:00:10.333044+00:00", "vendors": ["frustratedproton", "frustratedproton$PRODUCT$http-server"]}