Cyber Resilience

CVE-2026-25891

HighPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25891 is a high-severity Path Traversal (CWE-22) vulnerability in Gofiber Fiber. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25891 is a Path Traversal vulnerability (CWE-22) in Fiber, an Express-inspired web framework written in Go. The flaw allows a remote attacker to bypass the static middleware sanitizer and access arbitrary files on the server file system, but it is limited to Windows environments. It affects Fiber versions from v3 through 3.0.0 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to read sensitive files on the affected Windows server, potentially exposing configuration data, source code, or other confidential information without impacting integrity or availability.

The vulnerability has been patched in Fiber v3 version 3.1.0. Official advisories and references, including the GitHub security advisory (GHSA-m3c2-496v-cw3v), pull request 4064, and commit 59133702301c2ab7b776dd123b474cbd995f2c86, detail the fix and recommend upgrading to the patched version.

EU & UK References

Vulnerability details

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects…

more

Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing Fiber web framework static middleware directly enables remote unauthenticated file read on Windows servers, mapping to exploitation of internet-facing applications for initial access and sensitive data exposure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25882Same product: Gofiber Fiber
CVE-2026-25899Same product: Gofiber Fiber
CVE-2025-66630Same product: Gofiber Fiber
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22

Affected Assets

gofiber
fiber
3.0.0 — 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the Fiber framework path traversal flaw from v3-3.0.0 to v3.1.0, eliminating the vulnerability.

prevent

Enforces validation of user-supplied path inputs in the static middleware to block traversal sequences like '../' accessing arbitrary Windows files.

prevent

Implements boundary protections such as web application firewalls to inspect and deny path traversal payloads at network entry points.

References