Path Traversal in Avwo Whistle

CVE-2026-55629

Whistle is an HTTP, HTTP2, HTTPS, and WebSocket debugging proxy. Prior to 2.10.3, lib/service/service.js handles GET /cgi-bin/temp/get by reading req.query.filename, joining it to TEMP_FILES_PATH only when it matches the temporary file pat…

Vulnerability class: Path Traversal (Directory Traversal)

Affected products

Weakness classification (CWE)

References