{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T16:49:16.338","vulnerabilities":[{"cve":{"id":"CVE-2026-23991","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T03:15:47.317","lastModified":"2026-02-17T16:10:55.810","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available."},{"lang":"es","value":"go-tuf es una implementación en Go de The Update Framework (TUF). A partir de la versión 2.0.0 y antes de la versión 2.3.1, si el repositorio TUF (o cualquiera de sus espejos) devuelve JSON de metadatos TUF no válido (JSON válido pero metadatos TUF no bien formados), el cliente entrará en pánico durante el análisis, causando una denegación de servicio. El pánico ocurre antes de que se valide cualquier firma. Esto significa que un repositorio/espejo/caché comprometido puede DoS a los clientes sin tener acceso a ninguna clave de firma. La versión 2.3.1 soluciona el problema. No hay soluciones alternativas conocidas disponibles."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-617"},{"lang":"en","value":"CWE-754"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.3.1","matchCriteriaId":"6442E623-C25E-418E-A418-324F815885AF"}]}]}],"references":[{"url":"https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}