Unrated severityNVD Advisory· Published Jun 22, 2026· Updated Jun 22, 2026

WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows

CVE-2026-53779

Description

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

webp-sh/webp_server_gollm-fuzzy
Range: <=0.14.4

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/webp-sh/webp_server_go/commit/eb3b5f9289b331cb639cd610b0d1c532d2cc24e0mitrepatch
www.vulncheck.com/advisories/webp-server-go-path-traversal-via-backslash-encoding-on-windowsmitrethird-party-advisory
github.com/webp-sh/webp_server_go/pull/451mitreissue-tracking

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000