{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-22T14:37:38.024","vulnerabilities":[{"cve":{"id":"CVE-2026-23992","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T03:15:47.470","lastModified":"2026-06-17T10:22:26.730","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1."},{"lang":"es","value":"go-tuf es una implementación en Go de The Update Framework (TUF). A partir de la versión 2.0.0 y antes de la versión 2.3.1, un repositorio TUF comprometido o mal configurado puede tener el valor configurado de los umbrales de firma establecido en 0, lo que deshabilita efectivamente la verificación de firmas. Esto puede llevar a que sea posible la modificación no autorizada de los archivos de metadatos de TUF en reposo o en tránsito, ya que no se realizan comprobaciones de integridad. La versión 2.3.1 corrige el problema. Como solución alternativa, asegúrese siempre de que los roles de metadatos de TUF estén configurados con un umbral de al menos 1."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"theupdateframework","product":"go-tuf","versions":[{"version":">= 2.0.0, < 2.3.1","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-22T15:21:00.989880Z","id":"CVE-2026-23992","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-347"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.3.1","matchCriteriaId":"6442E623-C25E-418E-A418-324F815885AF"}]}]}],"references":[{"url":"https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}