CVE-2026-24469 HIGH

CVE-2026-24469: C++ HTTP Server has Critical Path Traversal Vulnerability in RequestHandler Allowing Arbitrary File Read

Vendor Frustratedproton
Product http-server
Weakness CWE-22 · Path traversal
Published January 24, 2026
Last update January 26, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication.

Key dates

02Disclosure timeline

January 24, 2026 CVE published
January 26, 2026 Record updated