CVE-2026-28807

Name of the Vulnerable Software and Affected Versions gleam-wisp wisp versions 2.1.1 through 2.2.0

Description A path traversal issue exists in gleam-wisp wisp that allows arbitrary file reading through percent-encoded path traversal. The wisp.serve static function is susceptible because sanitization occurs before percent-decoding. The encoded sequence %2e%2e bypasses string replacement and is then converted to .. by uri.percent decode, enabling directory traversal when the file is read. An unauthenticated attacker can read any file accessible to the application process with a single HTTP request, potentially including source code, configuration files, secrets, and system files.

Recommendations Update gleam-wisp wisp to version 2.2.1 or later.