Path Traversal Vulnerability in Echo Go Framework on Windows
CVE-2026-25766

5.3MEDIUM

Key Information:

Vendor

Labstack

Status
Echo
Vendor
CVE Published:
19 February 2026

What is CVE-2026-25766?

The Echo Go Framework, versions 5.0.0 through 5.0.2 on Windows, contains a vulnerability in its middleware.Static functionality. This flaw allows for path traversal attacks via backslashes, which can enable unauthenticated remote file reading outside of the designated static root. The issue arises because the method used to clean and normalize the requested path does not adequately handle backslash characters. Consequently, the vulnerability can facilitate unauthorized access to the filesystem when the default filesystem settings are in use. This flaw has been rectified in version 5.0.3 of the framework.

Affected Version(s)

echo >= 5.0.0, < 5.0.3

References

https://github.com/labstack/echo/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/labstack/echo/pull/2891
x_refsource_MISC
https://github.com/labstack/echo/commit/b1d443086ea27cf51...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.