Path Traversal Vulnerability in Fiber Web Framework for Go
CVE-2026-25891

7.7HIGH

Key Information:

Vendor

Gofiber

Status
Fiber
Vendor
CVE Published:
24 February 2026

What is CVE-2026-25891?

A Path Traversal vulnerability in the Fiber web framework, an Express-inspired framework written in Go, enables a remote attacker to bypass the static middleware sanitizer. This flaw permits access to arbitrary files on the server file system, particularly impacting users on Windows operating systems. Versions from Fiber v3 to v3.0.0 are vulnerable, but this issue has been addressed in Fiber v3.1.0. It highlights the importance of keeping web frameworks updated to safeguard against unauthorized file access.

Affected Version(s)

fiber >= 3.0.0, < 3.1.0

References

https://github.com/gofiber/fiber/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/gofiber/fiber/pull/4064
x_refsource_MISC
https://github.com/gofiber/fiber/commit/59133702301c2ab7b...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.