CVE-2026-25766: Echo has a Windows path traversal via backslash in middleware.Static default filesystem

February 17, 2026 (updated February 19, 2026)

On Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root.

References

github.com/advisories/GHSA-pgvm-wxw2-hrv9
github.com/labstack/echo
github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1
github.com/labstack/echo/pull/2891
github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9
nvd.nist.gov/vuln/detail/CVE-2026-25766

Code Behaviors & Features

Detect and mitigate CVE-2026-25766 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →