{"id":"GO-2020-0033","summary":"Path Traversal in aahframe.work","details":"Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.","aliases":["CVE-2020-36559","GHSA-vp56-r7qv-783v"],"modified":"2026-03-17T04:05:36.226416Z","published":"2021-04-14T20:04:52Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0033","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/go-aah/aah/pull/267"},{"type":"FIX","url":"https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec"},{"type":"REPORT","url":"https://github.com/go-aah/aah/issues/266"}],"affected":[{"package":{"name":"aahframe.work","ecosystem":"Go","purl":"pkg:golang/aahframe.work"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.12.4"}]}],"ecosystem_specific":{"imports":[{"symbols":["Application.Run","Application.ServeHTTP","Application.Start","HTTPEngine.Handle"],"path":"aahframe.work"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0033.json"}}],"schema_version":"1.7.5","credits":[{"name":"@snyff"}]}