CVE-2026-28807 โ Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')โฆ
๐จ CVE-2026-28807 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-deco
What This Means For You
- New vulnerability disclosed โ verify if your stack is exposed.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-28807 | Path Traversal | Software: gleam-wisp wisp, Versions: >= 2.1.1, < 2.2.1, Vulnerable Component: wisp.serve_static, Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability allowing arbitrary file read via percent-encoded path traversal due to sanitization running before percent-decoding. |
| CVE-2026-28807 | Information Disclosure | Software: gleam-wisp wisp, Versions: >= 2.1.1, < 2.2.1, Impact: Unauthenticated attacker can read any file readable by the application process (source code, configuration files, secrets, system files) via a single HTTP request exploiting a path traversal vulnerability in wisp.serve_static. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Published | April 06, 2026 at 20:27 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
BookingPress Pro Plugin: Critical RCE via Unauthenticated File Upload
CVE-2026-6960 โ The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in...
CVE-2026-22678 โ The Email Template Description Field Of The System And Serve Cross-Site Scripting (XSS)
CVE-2026-22678 โ Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that...
LiteLLM Privilege Escalation: User Role Manipulation Grants Admin Access (CVE-2026-47102)
CVE-2026-47102 โ LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to...