Path Traversal Vulnerability in WebP Server Go on Windows by WebP
CVE-2026-53779

8.7HIGH

Key Information:

Vendor: Webp-sh
Status: Webp Server Go
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-53779?

The WebP Server Go version up to 0.14.4 is affected by a path traversal vulnerability on Windows. This issue permits unauthenticated attackers to access files outside the designated IMG_PATH directory by submitting requests that include percent-encoded backslashes (%5C), circumventing the path.Clean() sanitization process. The vulnerability arises from the inconsistency between Go's path normalization using forward slashes and the Windows file system's treatment of backslashes as equivalent. As a result, this flaw can enable attackers to gain unauthorized access to arbitrary files present on the server's filesystem.

Affected Version(s)

webp_server_go 0

References

https://github.com/webp-sh/webp_server_go/pull/451

issue-tracking

https://github.com/webp-sh/webp_server_go/commit/eb3b5f92...

patch

https://www.vulncheck.com/advisories/webp-server-go-path-...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

Katriel Moses

CVE-2026-53779 Data

JSON

Webp-sh

What is CVE-2026-53779?

Affected Version(s)

References

CVSS V4

Timeline

Credit