{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T19:53:10.517","vulnerabilities":[{"cve":{"id":"CVE-2026-24686","sourceIdentifier":"security-advisories@github.com","published":"2026-01-27T01:16:02.790","lastModified":"2026-02-24T19:08:46.017","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."},{"lang":"es","value":"go-tuf es una implementación en Go de The Update Framework (TUF). El cliente Multirepo TAP 4 de go-tuf utiliza la cadena del nombre del repositorio del archivo de mapa ('repoName') como un componente de ruta del sistema de archivos al seleccionar el directorio de caché de metadatos local. A partir de la versión 2.0.0 y antes de la versión 2.4.1, si una aplicación acepta un archivo de mapa de una fuente no confiable, un atacante puede proporcionar un 'repoName' que contenga recorrido (p. ej., '../escaped-repo') y hacer que go-tuf cree directorios y escriba el archivo de metadatos raíz fuera de la base de caché 'LocalMetadataDir' prevista, dentro de los permisos del sistema de archivos del proceso en ejecución. La versión 2.4.1 contiene un parche."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.0,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.4.1","matchCriteriaId":"18AEE62D-019F-48BA-ADF7-C7F5C1C72E9E"}]}]}],"references":[{"url":"https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}