WsgiDAV encoded dot segments can escape filesystem share roots
WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.
Advisories for Pypi/Wsgidav package
2026
2022
Cross Site Scripting vulnerability in wsgidav when directory browsing is enabled
Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks.