CVE-2026-24686

{"id": "CVE-2026-24686", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-24686", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T14:39:18.006561Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "theupdateframework", "product": "go-tuf", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.4.1"}]}]}], "published": "2026-01-27T01:16:02.790", "references": [{"url": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."}, {"lang": "es", "value": "go-tuf es una implementaci\u00f3n en Go de The Update Framework (TUF). El cliente Multirepo TAP 4 de go-tuf utiliza la cadena del nombre del repositorio del archivo de mapa ('repoName') como un componente de ruta del sistema de archivos al seleccionar el directorio de cach\u00e9 de metadatos local. A partir de la versi\u00f3n 2.0.0 y antes de la versi\u00f3n 2.4.1, si una aplicaci\u00f3n acepta un archivo de mapa de una fuente no confiable, un atacante puede proporcionar un 'repoName' que contenga recorrido (p. ej., '../escaped-repo') y hacer que go-tuf cree directorios y escriba el archivo de metadatos ra\u00edz fuera de la base de cach\u00e9 'LocalMetadataDir' prevista, dentro de los permisos del sistema de archivos del proceso en ejecuci\u00f3n. La versi\u00f3n 2.4.1 contiene un parche."}], "lastModified": "2026-06-17T10:23:25.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18AEE62D-019F-48BA-ADF7-C7F5C1C72E9E", "versionEndExcluding": "2.4.1", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}