98 matches found
CVE-2026-39407
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...
CVE-2026-39406
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...
Directory Traversal
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...
Hono: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
EUVD-2026-20493
Hono: Middleware bypass via repeated slashes in serveStatic...
Directory Traversal
Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Directory Traversal due to inconsistent handling of repeated slashes in the serveStatic process. An attacker can access sensitive static files that are intended to be protected by bypassin...
EUVD-2026-20491
@hono/node-server: Middleware bypass via repeated slashes in serveStatic...
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
PT-2026-31281
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
Wisp Vulnerable to Path Traversal
Summary wisp.servestatic is vulnerable to arbitrary file read via percent-encoded path traversal %2e%2e. The directory traversal sanitization runs before percent-decoding, allowing encoded .. sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application...
GHSA-H7CJ-J2VV-QW8R Wisp Vulnerable to Path Traversal
Summary wisp.servestatic is vulnerable to arbitrary file read via percent-encoded path traversal %2e%2e. The directory traversal sanitization runs before percent-decoding, allowing encoded .. sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application...
CVE-2026-28807
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
CVE-2026-28807
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
CVE-2026-28807
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
EEF-CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
CVE-2026-28807
CVE-2026-28807 affects gleam-wisp wisp; path traversal in wisp.serve_static occurs because sanitization runs before percent-decoding, allowing %2e%2e to decode to .. and read any file the process can access. Affected versions are 2.1.1 <= wisp
CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.servestatic function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded...
Wisp 安全漏洞
Wisp is a practical Gleam web framework developed under open source, designed for rapid development and easy maintenance. Versions of Wisp from 2.1.1 to 2.2.1 contained security vulnerabilities. These vulnerabilities were caused by a path traversal vulnerability in the wisp.servestatic function,...
PT-2026-24472
Name of the Vulnerable Software and Affected Versions gleam-wisp wisp versions 2.1.1 through 2.2.0 Description A path traversal issue exists in gleam-wisp wisp that allows arbitrary file reading through percent-encoded path traversal. The wisp.serve static function is susceptible because...