{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28807", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-03-03T14:40:00.590Z", "datePublished": "2026-03-10T21:34:47.859Z", "dateUpdated": "2026-04-06T16:44:07.589Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "wisp", "packageURL": "pkg:hex/wisp", "product": "wisp", "repo": "https://github.com/gleam-wisp/wisp", "vendor": "gleam-wisp", "versions": [{"lessThan": "2.2.1", "status": "affected", "version": "2.1.1", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "gleam-wisp/wisp", "packageURL": "pkg:github/gleam-wisp/wisp", "product": "wisp", "repo": "https://github.com/gleam-wisp/wisp.git", "vendor": "gleam-wisp", "versions": [{"lessThan": "161118c431047f7ef1ff7cabfcc38981877fdd93", "status": "affected", "version": "129dcb1fe10ab1e676145d91477535e1c90ab550", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.1", "versionStartIncluding": "2.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "John Downey"}, {"lang": "en", "type": "remediation developer", "value": "Louis Pilfold"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.<p>The <tt>wisp.serve_static</tt> function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence <tt>%2e%2e</tt> passes through <tt>string.replace</tt> unchanged, then <tt>uri.percent_decode</tt> converts it to <tt>..</tt>, which the OS resolves as directory traversal when the file is read.</p><p>An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.</p><p>This issue affects wisp: from 2.1.1 before 2.2.1.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1."}], "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:07.589Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-28807.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28807"}, {"tags": ["patch"], "url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"}], "source": {"discovery": "EXTERNAL"}, "title": "Path Traversal in wisp.serve_static allows arbitrary file read", "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:20:19.768057Z", "id": "CVE-2026-28807", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:20:59.654Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28807", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:20:19.768057Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:20:53.092Z"}}], "cna": {"title": "Path Traversal in wisp.serve_static allows arbitrary file read", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "John Downey"}, {"lang": "en", "type": "remediation developer", "value": "Louis Pilfold"}], "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"], "repo": "https://github.com/gleam-wisp/wisp", "vendor": "gleam-wisp", "product": "wisp", "versions": [{"status": "affected", "version": "2.1.1", "lessThan": "2.2.1", "versionType": "semver"}], "packageURL": "pkg:hex/wisp", "packageName": "wisp", "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"], "repo": "https://github.com/gleam-wisp/wisp.git", "vendor": "gleam-wisp", "product": "wisp", "versions": [{"status": "affected", "version": "129dcb1fe10ab1e676145d91477535e1c90ab550", "lessThan": "161118c431047f7ef1ff7cabfcc38981877fdd93", "versionType": "git"}], "packageURL": "pkg:github/gleam-wisp/wisp", "packageName": "gleam-wisp/wisp", "collectionURL": "https://github.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2026-28807.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28807", "tags": ["related"]}, {"url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.<p>The <tt>wisp.serve_static</tt> function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence <tt>%2e%2e</tt> passes through <tt>string.replace</tt> unchanged, then <tt>uri.percent_decode</tt> converts it to <tt>..</tt>, which the OS resolves as directory traversal when the file is read.</p><p>An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.</p><p>This issue affects wisp: from 2.1.1 before 2.2.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.2.1", "versionStartIncluding": "2.1.1"}], "operator": "OR"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:07.589Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28807", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:44:07.589Z", "dateReserved": "2026-03-03T14:40:00.590Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2026-03-10T21:34:47.859Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1."}, {"lang": "es", "value": "Vulnerabilidad de Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') en gleam-wisp wisp permite la lectura arbitraria de archivos mediante salto de ruta codificado en porcentaje.\n\nLa funci\u00f3n wisp.serve_static es vulnerable a salto de ruta porque la sanitizaci\u00f3n se ejecuta antes de la decodificaci\u00f3n de porcentaje. La secuencia codificada %2e%2e pasa por string.replace sin cambios, luego uri.percent_decode la convierte a .., que el sistema operativo resuelve como salto de directorio cuando se lee el archivo.\n\nUn atacante no autenticado puede leer cualquier archivo legible por el proceso de la aplicaci\u00f3n en una \u00fanica solicitud HTTP, incluyendo c\u00f3digo fuente de la aplicaci\u00f3n, archivos de configuraci\u00f3n, secretos y archivos del sistema.\n\nEste problema afecta a wisp: desde 2.1.1 antes de 2.2.1."}], "id": "CVE-2026-28807", "lastModified": "2026-04-06T17:17:09.200", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-03-10T22:16:18.640", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-28807.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28807"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.1,2.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:hex/wisp@2.1.1,pkg:hex/wisp@2.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[129dcb1fe10ab1e676145d91477535e1c90ab550,161118c431047f7ef1ff7cabfcc38981877fdd93)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:github/gleam-wisp/wisp@129dcb1fe10ab1e676145d91477535e1c90ab550,pkg:github/gleam-wisp/wisp@161118c431047f7ef1ff7cabfcc38981877fdd93)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wisp", "vendor": "gleam-wisp"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.1,2.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:hex/wisp@2.1.1,pkg:hex/wisp@2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wisp", "source": "cna", "vendor": "gleam-wisp"}, "product": "wisp", "vendor": "gleam-wisp"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[129dcb1fe10ab1e676145d91477535e1c90ab550,161118c431047f7ef1ff7cabfcc38981877fdd93)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:github/gleam-wisp/wisp@129dcb1fe10ab1e676145d91477535e1c90ab550,pkg:github/gleam-wisp/wisp@161118c431047f7ef1ff7cabfcc38981877fdd93)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wisp", "source": "cna", "vendor": "gleam-wisp"}, "product": "wisp", "vendor": "gleam-wisp"}], "analysis": {"en": {"generated_at": "2026-04-15T22:40:26.814598+00:00", "value": {"mitigation_remediation": ["Update wisp to version 2.2.1 or later, which corrects the sanitization order and prevents path traversal.", "If an update is not immediately possible, disable the serve_static component or replace it with a secure static file handler that validates paths after percent-decoding.", "Apply additional file\u2011system access controls so the application process has only the minimal permissions required."], "summary": {"action": "Patch Now", "impact": "Arbitrary file read via path traversal"}, "threat_synthesis": {"affected_systems": "Affected products are the Gleam\u2011Wisp wisp web framework for all versions from 2.1.1 up to, but not including, 2.2.1. Applications built with these versions that use the default serve_static component are vulnerable.", "description_and_impact": "The vulnerability is a Path Traversal flaw in the wisp.serve_static handler. The code performs string replacement before percent-decoding, so an encoded '..' (for example, %2e%2e) passes through unchanged and is decoded to .., allowing the operating system to interpret it as a directory traversal. This flaw allows an unauthenticated attacker to read any file that the application process can access in a single HTTP request, including source code, configuration files, secrets, and system files.", "risk_and_exploitability": "The CVSS base score is 8.7, indicating a high severity risk. The EPSS score is below 1%, suggesting a low probability of exploitation observed in the wild at the time of publication. The vulnerability is not listed in the CISA KEV catalog, so no proof of exploitation is publicly known. The flaw can be exploited remotely over HTTP with no authentication; an attacker can target any readable file in the application\u2019s scope by crafting an HTTP request containing a percent\u2011encoded traversal sequence. Because access is based on the privileges of the application process, the compromise can be more extensive in deployments where the process runs with elevated rights."}}}}, "created": "2026-03-11T11:39:17.089919+00:00", "updated": "2026-04-15T22:45:16.441900+00:00", "vendors": ["gleam-wisp", "gleam-wisp$PRODUCT$wisp"]}