SUSE CVE-2026-25766

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo's middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

GO-2026-4502 Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5

Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5...

📄 Echo Framework 5.0.4 Path Traversal

This Python script is a security testing tool designed to detect a path traversal vulnerability in web applications built with the Echo framework version 5 running on Windows systems...

CVE-2026-25766

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

CVE-2026-25766

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

CVE-2026-25766

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

CVE-2026-25766

The CVE-2026-25766 issue affects Echo (github.com/labstack/echo/v5) on Windows, where middleware.Static uses the default filesystem and path.Clean does not treat backslashes as separators. This lets an unauthenticated attacker read files outside the static root by crafting a path that includes se...

CVE-2026-25766 Echo has a Windows path traversal via backslash in middleware.Static default filesystem

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

CVE-2026-25766

creationtimestamp| type| source ---|---|--- 2026-02-17 15:04:59+00:00| published-proof-of-concept| https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9...

CVE-2020-36565 Directory traversal on Windows in github.com/labstack/echo/v4

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read...