PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28807 Gleam Wisp CVE debrief

CVE-2026-28807 is a Path Traversal vulnerability in the wisp module of Gleam Wisp. The vulnerability arises from the wisp.serve_static function, which is susceptible to path traversal attacks because it performs sanitization before percent-decoding. This allows an attacker to manipulate the path by using percent-encoded sequences like %2e%2e, which can be converted to .. after decoding, enabling directory traversal when a file is read. Consequently, an unauthenticated attacker can read any file that is readable by the application process with a single HTTP request. This includes sensitive information such as application source code, configuration files, secrets, and system files. The affected versions of wisp range from 2.1.1 up to but not including 2.2.1.

Vendor
Gleam Wisp
Product
Wisp
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-10
Original CVE updated
2026-05-27
Advisory published
2026-03-10
Advisory updated
2026-05-27

Who should care

Users of Gleam Wisp's wisp module, particularly those who have not updated to version 2.2.1 or later, should be concerned about this vulnerability. This vulnerability can be exploited by an unauthenticated attacker to read arbitrary files, potentially leading to sensitive information disclosure.

Technical summary

The wisp.serve_static function in Gleam Wisp's wisp module is vulnerable to path traversal attacks. The issue stems from the order of operations in path sanitization and percent-decoding. Specifically, the encoded sequence %2e%2e can pass through string.replace unchanged and then be converted to .. by uri.percent_decode, allowing for directory traversal when the file is read. This vulnerability can be exploited by an unauthenticated attacker to read any file readable by the application process.

Defensive priority

High

Recommended defensive actions

  • Update wisp to version 2.2.1 or later
  • Restrict access to sensitive files and directories
  • Implement additional security measures to monitor and limit file access requests
  • Review and update application configurations to prevent exploitation
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.

Evidence notes

The CVE record was published on 2026-03-10T22:16:18.640Z and was last modified on 2026-05-27T13:45:05.160Z. The vulnerability has been analyzed and is currently categorized as HIGH severity with a CVSS score of 8.7.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-10T22:16:18.640Z and has not been modified since then.