CVE-2026-55629
CVE-2026-55629 affects Whistle (HTTP/HTTP2/HTTPS/WebSocket proxy). Before 2.10.3, the code path in lib/service/service.js for GET /cgi-bin/temp/get uses req.query.filename and joins it to TEMP_FILES_PATH only if it matches the temp-file pattern; otherwise it passes the user-supplied filename to g...