CVE-2026-25766

Name of the Vulnerable Software and Affected Versions Echo versions 5.0.0 through 5.0.2

Description Echo, a Go web framework, has an issue where the middleware.Static component, when used with the default filesystem on Windows, allows path traversal through backslashes. This enables unauthenticated remote file read outside the designated static root. The requested path is processed using path.Clean, which does not recognize backslashes as path separators, leaving .. sequences intact. Subsequently, os.Open on Windows interprets these backslashes as separators, enabling traversal beyond the intended static root. The middleware/static.go file and the echo.go file are relevant to this issue.

Recommendations Update to Echo version 5.0.3 or later.