{"id":"GO-2026-4502","summary":"Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5","details":"Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5","aliases":["CVE-2026-25766","GHSA-pgvm-wxw2-hrv9"],"modified":"2026-03-17T05:08:35.813444Z","published":"2026-02-26T16:27:48Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4502","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9"},{"type":"FIX","url":"https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1"},{"type":"FIX","url":"https://github.com/labstack/echo/pull/2891"}],"affected":[{"package":{"name":"github.com/labstack/echo/v5","ecosystem":"Go","purl":"pkg:golang/github.com/labstack/echo/v5"},"ranges":[{"type":"SEMVER","events":[{"introduced":"5.0.0"},{"fixed":"5.0.3"}]}],"ecosystem_specific":{"imports":[{"symbols":["Static","StaticConfig.ToMiddleware","StaticWithConfig"],"path":"github.com/labstack/echo/v5/middleware"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4502.json"}}],"schema_version":"1.7.5"}