CVE-2026-25766

Exploit

EPSS 0.04%
Veröffentlicht 19.02.2026 15:49:02
Zuletzt bearbeitet 23.02.2026 20:17:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Labstack ≫ Echo SwPlatformgo Version >= 5.0.0 < 5.0.3

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.133

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9

Vendor Advisory

Exploit

https://github.com/labstack/echo/pull/2891

Patch

Issue Tracking

https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-25766

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25766

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25766

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25766