PatchSiren cyber security CVE debrief
CVE-2026-28807 Gleam Wisp CVE debrief
CVE-2026-28807 is a Path Traversal vulnerability in the wisp module of Gleam Wisp. The vulnerability arises from the wisp.serve_static function, which is susceptible to path traversal attacks because it performs sanitization before percent-decoding. This allows an attacker to manipulate the path by using percent-encoded sequences like %2e%2e, which can be converted to .. after decoding, enabling directory traversal when a file is read. Consequently, an unauthenticated attacker can read any file that is readable by the application process with a single HTTP request. This includes sensitive information such as application source code, configuration files, secrets, and system files. The affected versions of wisp range from 2.1.1 up to but not including 2.2.1.
- Vendor
- Gleam Wisp
- Product
- Wisp
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-05-27
Who should care
Users of Gleam Wisp's wisp module, particularly those who have not updated to version 2.2.1 or later, should be concerned about this vulnerability. This vulnerability can be exploited by an unauthenticated attacker to read arbitrary files, potentially leading to sensitive information disclosure.
Technical summary
The wisp.serve_static function in Gleam Wisp's wisp module is vulnerable to path traversal attacks. The issue stems from the order of operations in path sanitization and percent-decoding. Specifically, the encoded sequence %2e%2e can pass through string.replace unchanged and then be converted to .. by uri.percent_decode, allowing for directory traversal when the file is read. This vulnerability can be exploited by an unauthenticated attacker to read any file readable by the application process.
Defensive priority
High
Recommended defensive actions
- Update wisp to version 2.2.1 or later
- Restrict access to sensitive files and directories
- Implement additional security measures to monitor and limit file access requests
- Review and update application configurations to prevent exploitation
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
Evidence notes
The CVE record was published on 2026-03-10T22:16:18.640Z and was last modified on 2026-05-27T13:45:05.160Z. The vulnerability has been analyzed and is currently categorized as HIGH severity with a CVSS score of 8.7.
Official resources
-
CVE-2026-28807 CVE record
CVE.org
-
CVE-2026-28807 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Exploit, Vendor Advisory, Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-10T22:16:18.640Z and has not been modified since then.