18 matches found
Linux Distros Unpatched Vulnerability : CVE-2026-55677
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the...
CVE-2026-55677
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...
UBUNTU-CVE-2026-55677
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...
CVE-2026-55677
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...
CVE-2026-55677 Echo: Encoded slash (%2F) bypasses route-level protection and exposes static files
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...
EUVD-2026-39800
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...
CVE-2026-55677
Echo (Go framework) prior to 4.15.3 and 5.2.0 has a router vs static file handler decoding mismatch: the router uses the raw encoded path while StaticDirectoryHandler unescapes %2F to /, enabling bypass of route-level access controls to read static files without authorization. The vulnerability i...
SUSE CVE-2026-25766
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo's middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...
GO-2026-4502 Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5
Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5...
📄 Echo Framework 5.0.4 Path Traversal
This Python script is a security testing tool designed to detect a path traversal vulnerability in web applications built with the Echo framework version 5 running on Windows systems...
CVE-2026-25766
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...
CVE-2026-25766
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...
CVE-2026-25766 Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...
CVE-2026-25766
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...
CVE-2026-25766
The CVE-2026-25766 issue affects Echo (github.com/labstack/echo/v5) on Windows, where middleware.Static uses the default filesystem and path.Clean does not treat backslashes as separators. This lets an unauthenticated attacker read files outside the static root by crafting a path that includes se...
CVE-2026-25766
creationtimestamp| type| source ---|---|--- 2026-02-17 15:04:59+00:00| published-proof-of-concept| https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9...
The vulnerability of the Static Handler component of the web framework used to create scalable and high-performance web applications, Echo, allows a attacker to perform an SSRF attack.
The vulnerability of the Static Handler component of the web framework used to create scalable and high-performance web applications, Echo, involves redirecting URLs to an unreliable website. Exploiting this vulnerability can enable a remote attacker to perform an SSRF attack...
CVE-2020-36565 Directory traversal on Windows in github.com/labstack/echo/v4
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read...