PYSEC-2026-918

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/sanic/PYSEC-2026-918.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-918
Aliases
Published
2026-07-06T08:03:31.763289Z
Modified
2026-07-07T11:45:50.826682501Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs
Details

Impact

Access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted.

Patches

  • v20.12.7 (LTS)
  • v21.12.2 (LTS)
  • v22.6.1

References

https://github.com/sanic-org/sanic/issues/2478 https://github.com/sanic-org/sanic/pull/2495

For more information

If you have any questions or comments about this advisory: * Open an issue in the community forums * Ping us on the Discord server

References

Affected packages

PyPI / sanic

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.12.7
Introduced
22.0.0
Fixed
22.6.1
Introduced
21.0.0
Fixed
21.12.2

Affected versions

0.*
0.1.0
0.1.1
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.4
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.8.3
18.*
18.12.0
19.*
19.3.1
19.6.0
19.6.2
19.6.3
19.9.0
19.12.0
19.12.2
19.12.3
19.12.4
19.12.5
20.*
20.3.0
20.6.0
20.6.1
20.6.2
20.6.3
20.9.0
20.9.1
20.12.0
20.12.1
20.12.2
20.12.3
20.12.4
20.12.5
20.12.6
21.*
21.3.0
21.3.1
21.3.2
21.3.4
21.6.0
21.6.1
21.6.2
21.9.0
21.9.1
21.9.2
21.9.3
21.12.0
21.12.1
22.*
22.3.0
22.3.1
22.3.2
22.6.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/sanic/PYSEC-2026-918.yaml"