Path Traversal
Description
This affects the package sprinfall/webcc before 0.3.0. It is possible to traverse directories to fetch arbitrary files from the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- sprinfall/webccdescription
Patches
Vulnerability mechanics
Root cause
"The application does not properly sanitize URL paths, allowing directory traversal."
Attack vector
An attacker can send a crafted URL to the server that includes directory traversal sequences (e.g., `../`). This allows the attacker to bypass intended file restrictions and access arbitrary files on the server's file system. The vulnerability is present in the static file serving mechanism of the application. [ref_id=1]
Affected code
The vulnerability resides in the `Router::MatchView` function within the `Router` class. Specifically, the issue stems from how the `url` parameter was used in `std::regex_match` and `boost::iequals` checks, which did not adequately sanitize or validate the path for traversal attempts. The commit `55a45fd5039061d5cc62e9f1b9d1f7e97a15143f` addresses this by introducing `url_path` for these comparisons. [ref_id=1]
What the fix does
The patch modifies the `Router::MatchView` function to use `url_path` instead of `url` when matching against route definitions. This change ensures that the provided URL path is correctly processed and validated, preventing directory traversal attacks by properly handling the input before it is used to access files. [ref_id=1]
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143fmitrex_refsource_MISC
- snyk.io/vuln/SNYK-UNMANAGED-SPRINFALLWEBCC-2404182mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.