PatchSiren cyber security CVE debrief
CVE-2026-53779 webp-sh CVE debrief
CVE-2026-53779 is a path traversal vulnerability in WebP Server Go through 0.14.4 on Windows. The vulnerability allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. This discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent enables attackers to access arbitrary files on the host filesystem accessible to the server process. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. WebP Server Go users should take immediate action to mitigate this vulnerability.
- Vendor
- webp-sh
- Product
- webp_server_go
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-23
Who should care
System administrators and security teams responsible for WebP Server Go installations, especially those on Windows, should prioritize patching this vulnerability. Given the HIGH severity and CVSS score of 8.7, immediate attention is necessary to prevent potential exploitation. Additionally, security teams should monitor for any suspicious activity that could indicate attempted exploitation of this vulnerability.
Technical summary
The path traversal vulnerability in WebP Server Go through 0.14.4 on Windows arises from the server's handling of percent-encoded backslashes (%5C) in file paths. Unlike Go's path.Clean() function, which sanitizes paths by removing or escaping certain characters, Windows file system APIs treat backslashes and forward slashes as equivalent. This discrepancy allows attackers to bypass path sanitization and access files outside the intended IMG_PATH directory. The vulnerability is exploitable via unauthenticated requests, making it a significant risk for servers with publicly accessible WebP Server Go instances.
Defensive priority
High priority should be given to patching WebP Server Go installations, especially those on Windows, to prevent exploitation of this path traversal vulnerability. Immediate action is recommended due to the HIGH severity and CVSS score of 8.7.
Recommended defensive actions
- Apply the latest patch or update for WebP Server Go to version 0.14.5 or later.
- Review and adjust the IMG_PATH configuration to ensure it does not inadvertently expose sensitive directories.
- Implement additional monitoring to detect suspicious file access patterns.
- Consider compensating controls such as Web Application Firewalls (WAFs) to help mitigate potential exploitation attempts.
- Perform a thorough inventory check of all WebP Server Go instances within the organization to ensure they are updated and patched.
Evidence notes
The CVE-2026-53779 vulnerability was publicly disclosed on June 22, 2026, with a CVSS score of 8.7 and HIGH severity. The vulnerability affects WebP Server Go through 0.14.4 on Windows, allowing path traversal attacks. Evidence from the NVD and Vulncheck indicates that this vulnerability is exploitable via unauthenticated requests, posing a significant risk to affected systems.
Official resources
This article is AI-assisted and based on the supplied source corpus.