{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T15:11:14.524","vulnerabilities":[{"cve":{"id":"CVE-2026-33353","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T20:16:29.573","lastModified":"2026-03-25T21:59:38.923","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6."},{"lang":"es","value":"Soft Serve es un servidor Git autoalojable para la línea de comandos. Desde la versión 0.6.0 hasta antes de la versión 0.11.6, una falla de autorización en la importación de repositorios permite a cualquier usuario SSH autenticado clonar un repositorio Git local del servidor, incluyendo el repositorio privado de otro usuario, en un nuevo repositorio que ellos controlan. Este problema ha sido parcheado en la versión 0.11.6."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*","versionStartIncluding":"0.6.0","versionEndExcluding":"0.11.6","matchCriteriaId":"EDBD42A1-C2A7-4A84-AA41-6317A9812FF7"}]}]}],"references":[{"url":"https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}