EXECUTIVE SUMMARY:
CVE-2026-25766 describes a moderate severity path traversal vulnerability in the middleware .Static component of the Go module github.com /labstack /echo /v5, where improper handling of backslashes on Windows allows attackers to traverse outside the intended static file root and read arbitrary files. This issue affects Echo versions ≥ 5.0.0 and < 5.0.3, exposing applications that rely on the default filesystem configuration to unauthenticated remote file reads on Windows systems. The weakness stems from the interaction between URL path normalization (which doesn’t treat backslashes as separators) and the OS filesystem behavior that does, resulting in a classic CWE-22 path traversal condition. Because no privileges or user interaction are required for exploitation and the attack surface is network-accessible, this vulnerability has been assigned a CVSS v3.1 base score of 5.3, reflecting low confidentiality impact but broad exploitability.
RECOMMENDATION:
We strongly recommend you update the Echo to version 5.0.3.
REFERENCES:
The following reports contain further technical details: