Cyber Resilience

CVE-2026-24469

High

Published: 24 January 2026

Published
24 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 10.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24469 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24469 is a path traversal vulnerability affecting C++ HTTP Server, an HTTP/1.1 server designed to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable through the RequestHandler::handleRequest method, where the application fails to sanitize the filename variable derived from the user-controlled URL path. This variable is directly concatenated to the files_directory base path, allowing traversal outside the intended root directory. The issue is classified under CWE-22 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious HTTP GET request containing ../ sequences in the path. Successful exploitation enables the attacker to read arbitrary files from the server's filesystem, potentially exposing sensitive configuration files, credentials, or other data without requiring privileges or user interaction.

The GitHub security advisory at https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff details the vulnerability. No patch was available at the time of publication on 2026-01-24.

EU & UK References

Vulnerability details

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files…

more

from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing HTTP server directly enables remote unauthenticated file read (T1190 initial exploitation + T1005 arbitrary local file access).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the failure to sanitize the user-controlled filename from the URL path by requiring validation to block traversal sequences like ../.

prevent

Enforces logical access restrictions to ensure the HTTP server only allows reads within the intended files_directory base path, preventing arbitrary file access.

prevent

Restricts HTTP request inputs to safe path formats, mitigating traversal attempts by blocking unauthorized characters or patterns derived from the URL.

References