Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
https://pkg.go.dev/vuln/GO-2020-0033
https://github.com/go-aah/aah/pull/267
https://github.com/go-aah/aah/issues/266
https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
Source: Mitre, NVD
Published: 2022-12-27
Updated: 2026-06-17
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N
Severity: High
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.00419