CVE-2026-27139

{"id": "CVE-2026-27139", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.0}]}, "published": "2026-03-06T22:16:01.070", "references": [{"url": "https://go.dev/cl/749480", "tags": ["Mailing List"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/77827", "tags": ["Issue Tracking"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk", "tags": ["Release Notes"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4602", "tags": ["Vendor Advisory"], "source": "security@golang.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."}, {"lang": "es", "value": "En plataformas Unix, al listar el contenido de un directorio usando File.ReadDir o File.Readdir, el FileInfo devuelto podr\u00eda hacer referencia a un archivo fuera de la Ra\u00edz en la que se abri\u00f3 el Archivo. El impacto de este escape se limita a la lectura de metadatos proporcionados por lstat desde ubicaciones arbitrarias en el sistema de archivos sin permitir la lectura o escritura de archivos fuera de la ra\u00edz."}], "lastModified": "2026-04-21T14:32:36.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D293CC0-B163-4E62-B985-52FB6ECA64C5", "versionEndExcluding": "1.25.8"}, {"criteria": "cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A40FE3CB-0D03-462B-8A19-4DF1920ABE82"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}