What is GHSA-pv77-wrq6-gq73?

GHSA-pv77-wrq6-gq73 is a security advisory published by GitHub Security Advisories with High severity. WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows...

Which CVE IDs does GHSA-pv77-wrq6-gq73 cover?

GHSA-pv77-wrq6-gq73 covers the following CVE IDs: CVE-2026-53779. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-pv77-wrq6-gq73?

GHSA-pv77-wrq6-gq73 has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

GHSA-pv77-wrq6-gq73HighCVSS 7.5

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows...

Vendor

GitHub Security Advisories

Published

June 22, 2026

Last Modified

June 22, 2026

🔗 CVE IDs covered (1)

CVE-2026-53779 →

📋 Description

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-53779
https://github.com/webp-sh/webp_server_go/pull/451
https://github.com/webp-sh/webp_server_go/commit/eb3b5f9289b331cb639cd610b0d1c532d2cc24e0
https://www.vulncheck.com/advisories/webp-server-go-path-traversal-via-backslash-encoding-on-windows
https://github.com/advisories/GHSA-pv77-wrq6-gq73