Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-25891

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-24 Feb, 2026 | 21:08
Updated At-24 Feb, 2026 | 21:39
Rejected At-
Credits

Fiber has an Arbitrary File Read in Static Middleware on Windows

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:24 Feb, 2026 | 21:08
Updated At:24 Feb, 2026 | 21:39
Rejected At:
â–¼CVE Numbering Authority (CNA)
Fiber has an Arbitrary File Read in Static Middleware on Windows

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.

Affected Products
Vendor
gofiber
Product
fiber
Versions
Affected
  • >= 3.0.0, < 3.1.0
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v
x_refsource_CONFIRM
https://github.com/gofiber/fiber/pull/4064
x_refsource_MISC
https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86
x_refsource_MISC
Hyperlink: https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/gofiber/fiber/pull/4064
Resource:
x_refsource_MISC
Hyperlink: https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:24 Feb, 2026 | 22:16
Updated At:27 Feb, 2026 | 03:18

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
gofiber
gofiber
>>fiber>>Versions from 3.0.0(inclusive) to 3.1.0(exclusive)
cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*
Weaknesses
CWE IDTypeSource
CWE-22Primarysecurity-advisories@github.com
CWE ID: CWE-22
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86security-advisories@github.com
Patch
https://github.com/gofiber/fiber/pull/4064security-advisories@github.com
Exploit
Issue Tracking
https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3vsecurity-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/gofiber/fiber/pull/4064
Source: security-advisories@github.com
Resource:
Exploit
Issue Tracking
Hyperlink: https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1008Records found
CVE-2024-48224
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.14% / 33.32%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 00:00
Updated-31 Oct, 2024 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile.

Action-Not Available
Vendor-funadminn/afunadmin
Product-funadminn/afunadmin
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-45652
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.27%
||
7 Day CHG-0.16%
Published-19 Jan, 2025 | 02:42
Updated-18 Aug, 2025 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Maximo Asset Management directory traversal

IBM Maximo MXAPIASSET API 7.6.1.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Action-Not Available
Vendor-IBM Corporation
Product-maximo_asset_managementMaximo Asset Management
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-44720
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.59% / 68.79%
||
7 Day CHG~0.00%
Published-09 Sep, 2024 | 00:00
Updated-28 Mar, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SeaCMS v13.1 was discovered to an arbitrary file read vulnerability via the component admin_safe.php.

Action-Not Available
Vendor-seacmsn/aseacms
Product-seacmsn/aseacms
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-45436
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-29.08% / 96.47%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 00:00
Updated-30 Aug, 2024 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.

Action-Not Available
Vendor-ollaman/aollama
Product-ollaman/aollama
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-48931
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.28% / 51.08%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 20:49
Updated-06 Nov, 2024 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZimaOS Arbitrary File Read via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path>` is vulnerable to arbitrary file reading due to improper input validation. By manipulating the `files` parameter, authenticated users can read sensitive system files, including `/etc/shadow`, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise. The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the `files` parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory. As of time of publication, no known patched versions are available.

Action-Not Available
Vendor-zimaspaceIceWhaleTechicewhaletech
Product-zimaosZimaOSzimaos
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-25265
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.15%
||
7 Day CHG~0.00%
Published-28 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Docmosis Tornado <= 2.9.4 is vulnerable to Directory Traversal leading to the disclosure of arbitrary content on the file system.

Action-Not Available
Vendor-docmosisn/a
Product-tornadon/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-24698
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.47%
||
7 Day CHG~0.00%
Published-08 Aug, 2023 | 00:00
Updated-15 Oct, 2024 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient parameter validation in the Foswiki::Sandbox component of Foswiki v2.1.7 and below allows attackers to perform a directory traversal via supplying a crafted web request.

Action-Not Available
Vendor-foswikin/a
Product-foswikin/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-4790
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.66% / 70.73%
||
7 Day CHG~0.00%
Published-11 May, 2024 | 23:31
Updated-04 Apr, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DedeCMS path traversal

A vulnerability classified as problematic has been found in DedeCMS 5.7.114. This affects an unknown part of the file /sys_verifies.php?action=view. The manipulation of the argument filename with the input ../../../../../etc/passwd leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263889 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-n/aDedeCMS
Product-dedecmsDedeCMS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-24
Path Traversal: '../filedir'
  • Previous
  • 1
  • 2
  • ...
  • 19
  • 20
  • 21
  • Next
Details not found