Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-39407 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.
When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.
The routing layer and serveStatic handle repeated slashes differently.
For example:
/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*
However, serveStatic may interpret both paths as the same file location (e.g., admin/secret.txt) and return the file.
This inconsistency allows a request such as:
GET //admin/secret.txt
to bypass middleware registered on /admin/* and access protected files.
The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.
An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.
This can lead to unauthorized access to sensitive files under the static root.
This issue affects applications that rely on serveStatic together with route-based middleware for access control.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.