Path Traversal Vulnerability in Wisp by Gleam Wisp
CVE-2026-28807

8.7HIGH

Key Information:

Vendor: Gleam-wisp
Status: Wisp
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-28807?

A vulnerability has been identified in the Wisp application allowing unauthorized access to sensitive files through path traversal. The flaw exists in the wisp.serve_static function, where improper sanitization of input permits an attacker to manipulate encoded paths. Specifically, the percent-encoded sequence %2e%2e is not properly handled, enabling attackers to decode requests and traverse directories. As a result, any file that the application processes can become readable by sending a single HTTP request. This not only includes application source code and configuration files but can also expose secrets and other critical system files. The impacted versions are Wisp from 2.1.1 up to, but not including, 2.2.1.

Affected Version(s)

wisp 2.1.1 < 2.2.1

wisp 129dcb1fe10ab1e676145d91477535e1c90ab550 < 161118c431047f7ef1ff7cabfcc38981877fdd93

References

https://github.com/gleam-wisp/wisp/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-28807.html

https://osv.dev/vulnerability/EEF-CVE-2026-28807

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 3, 2026

Credit

John Downey

Louis Pilfold

CVE-2026-28807 Data

JSON

Gleam-wisp

What is CVE-2026-28807?

Affected Version(s)

References

CVSS V4

Timeline

Credit