Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    GHSA-WXQ4-CC2Q-338Q

    Vulnerability from github – Published: 2026-06-11 20:28 – Updated: 2026-06-11 20:28
    VLAI
    Summary
    WsgiDAV encoded dot segments can escape filesystem share roots
    Details

    Impact

    WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.

    Patches

    The issue is fixed with version 4.3.4.

    Preconditions

    The practical impact depends on the deployment.

    The deployment uses a filesystem-backed WsgiDAV share.

    The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.

    Details

    The issue is in FilesystemProvider._loc_to_file_path(). The method builds a candidate path with os.path.abspath(os.path.join(root_path, *path_parts)), then checks containment with file_path.startswith(root_path). This is not path-boundary aware. For example, if the configured share root is /tmp/share, a resolved sibling path such as /tmp/share_evil/secret.txt still starts with the string /tmp/share.

    In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.

    The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used /%2e%2e/..., which wsgiref passed through as /../....

    A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as /tmp/share and /tmp/share_evil.

    The WsgiDAV process has OS permissions for the outside path.

    Show details on source website

    {
      "affected": [
        {
          "database_specific": {
            "last_known_affected_version_range": "\u003c= 4.3.3"
          },
          "package": {
            "ecosystem": "PyPI",
            "name": "wsgidav"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "4.3.4"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        }
      ],
      "aliases": [
        "CVE-2026-48099"
      ],
      "database_specific": {
        "cwe_ids": [
          "CWE-22"
        ],
        "github_reviewed": true,
        "github_reviewed_at": "2026-06-11T20:28:45Z",
        "nvd_published_at": null,
        "severity": "HIGH"
      },
      "details": "### Impact\nWsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.\n\n### Patches\nThe issue is fixed with version 4.3.4.\n\n### Preconditions\n\nThe practical impact depends on the deployment.\n\nThe deployment uses a filesystem-backed WsgiDAV share.\n\nThe attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.\n\n### Details\n\nThe issue is in `FilesystemProvider._loc_to_file_path()`. The method builds a candidate path with `os.path.abspath(os.path.join(root_path, *path_parts))`, then checks containment with `file_path.startswith(root_path)`. This is not path-boundary aware. For example, if the configured share root is `/tmp/share`, a resolved sibling path such as `/tmp/share_evil/secret.txt` still starts with the string `/tmp/share`.\n\nIn a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.\n\nThe WSGI/server layer forwards the encoded dot segment to WsgiDAV\u0027s PATH_INFO. The local proof used `/%2e%2e/...`, which wsgiref passed through as `/../...`.\n\nA sibling or neighboring path exists whose absolute path starts with the configured root path string, such as `/tmp/share` and `/tmp/share_evil`.\n\nThe WsgiDAV process has OS permissions for the outside path.",
      "id": "GHSA-wxq4-cc2q-338q",
      "modified": "2026-06-11T20:28:45Z",
      "published": "2026-06-11T20:28:45Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/mar10/wsgidav/security/advisories/GHSA-wxq4-cc2q-338q"
        },
        {
          "type": "WEB",
          "url": "https://github.com/mar10/wsgidav/commit/f894ed8656d7bdd7438ab8148c5a02546cb15183"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/mar10/wsgidav"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "type": "CVSS_V3"
        }
      ],
      "summary": "WsgiDAV encoded dot segments can escape filesystem share roots"
    }

    PYSEC-2026-3428

    Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:07
    VLAI
    Details

    Impact

    WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.

    Patches

    The issue is fixed with version 4.3.4.

    Preconditions

    The practical impact depends on the deployment.

    The deployment uses a filesystem-backed WsgiDAV share.

    The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.

    Details

    The issue is in FilesystemProvider._loc_to_file_path(). The method builds a candidate path with os.path.abspath(os.path.join(root_path, *path_parts)), then checks containment with file_path.startswith(root_path). This is not path-boundary aware. For example, if the configured share root is /tmp/share, a resolved sibling path such as /tmp/share_evil/secret.txt still starts with the string /tmp/share.

    In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.

    The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used /%2e%2e/..., which wsgiref passed through as /../....

    A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as /tmp/share and /tmp/share_evil.

    The WsgiDAV process has OS permissions for the outside path.

    Impacted products
    Name purl
    wsgidav pkg:pypi/wsgidav

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "wsgidav",
            "purl": "pkg:pypi/wsgidav"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "4.3.4"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.4.0b1",
            "0.4.0b2",
            "0.5.0",
            "1.0.0",
            "1.1.0",
            "1.2.0",
            "1.3.0",
            "2.0.0",
            "2.0.1",
            "2.1.0",
            "2.2.1",
            "2.2.2",
            "2.2.3",
            "2.2.4",
            "2.3.0",
            "2.4.0",
            "2.4.1",
            "3.0.0",
            "3.0.0a1",
            "3.0.0a2",
            "3.0.0a3",
            "3.0.0a4",
            "3.0.0a5",
            "3.0.0a6",
            "3.0.0a7",
            "3.0.1",
            "3.0.2",
            "3.0.3",
            "3.0.5a2",
            "3.0.5a3",
            "3.1.0",
            "3.1.1",
            "4.0.0",
            "4.0.0a2",
            "4.0.1",
            "4.0.2",
            "4.1.0",
            "4.2.0",
            "4.3.0",
            "4.3.1",
            "4.3.2",
            "4.3.3"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-48099",
        "GHSA-wxq4-cc2q-338q"
      ],
      "details": "### Impact\nWsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.\n\n### Patches\nThe issue is fixed with version 4.3.4.\n\n### Preconditions\n\nThe practical impact depends on the deployment.\n\nThe deployment uses a filesystem-backed WsgiDAV share.\n\nThe attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.\n\n### Details\n\nThe issue is in `FilesystemProvider._loc_to_file_path()`. The method builds a candidate path with `os.path.abspath(os.path.join(root_path, *path_parts))`, then checks containment with `file_path.startswith(root_path)`. This is not path-boundary aware. For example, if the configured share root is `/tmp/share`, a resolved sibling path such as `/tmp/share_evil/secret.txt` still starts with the string `/tmp/share`.\n\nIn a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.\n\nThe WSGI/server layer forwards the encoded dot segment to WsgiDAV\u0027s PATH_INFO. The local proof used `/%2e%2e/...`, which wsgiref passed through as `/../...`.\n\nA sibling or neighboring path exists whose absolute path starts with the configured root path string, such as `/tmp/share` and `/tmp/share_evil`.\n\nThe WsgiDAV process has OS permissions for the outside path.",
      "id": "PYSEC-2026-3428",
      "modified": "2026-07-13T16:07:34.248435Z",
      "published": "2026-07-13T15:46:16.868348Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/mar10/wsgidav/security/advisories/GHSA-wxq4-cc2q-338q"
        },
        {
          "type": "WEB",
          "url": "https://github.com/mar10/wsgidav/commit/f894ed8656d7bdd7438ab8148c5a02546cb15183"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/mar10/wsgidav"
        },
        {
          "type": "PACKAGE",
          "url": "https://pypi.org/project/wsgidav"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/advisories/GHSA-wxq4-cc2q-338q"
        },
        {
          "type": "ADVISORY",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48099"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "type": "CVSS_V3"
        }
      ],
      "summary": "WsgiDAV encoded dot segments can escape filesystem share roots"
    }