CVE-2026-25766: Echo has a Windows path traversal via backslash in middleware.Static default filesystem
(updated )
On Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling
unauthenticated remote file read outside the static root.
References
- github.com/advisories/GHSA-pgvm-wxw2-hrv9
- github.com/labstack/echo
- github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1
- github.com/labstack/echo/pull/2891
- github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9
- nvd.nist.gov/vuln/detail/CVE-2026-25766
- pkg.go.dev/vuln/GO-2026-4502
Code Behaviors & Features
Detect and mitigate CVE-2026-25766 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →