What is the CVSS score of CVE-2026-44973?

CVE-2026-44973 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Which versions of go-billy are affected by CVE-2026-44973?

CVE-2026-44973 is a path traversal vulnerability in go-billy that allows authenticated users to bypass filesystem isolation controls and access files outside intended boundaries, potentially exposing…. A patch is available.

go-billy CVE-2026-44973

HIGH

Path Traversal (CWE-22)

2026-05-14 https://github.com/go-git/go-billy

GHSA-qw64-3x98-g7q2

Path Traversal

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 14, 2026 - 19:01 vuln.today

Analysis Generated

May 14, 2026 - 19:01 vuln.today

CVE Published

May 14, 2026 - 18:25 nvd

HIGH 8.1

DescriptionNVD

Impact

Multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.

While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations.

The osfs.ChrootOS implementation is notably affected by this vulnerability and is now deprecated in v5, removed at v6. Users are recommended to move on to osfs.BoundOS instead: osfs.New(path, WithBoundOS()).

Users requiring stronger security boundary enforcement are recommended to upgrade to v6, where the osfs implementation are backed by the traversal-resistant primitive os.Root.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version.

Credits

Thanks to @faran66 and @vnykmshr for finding and separately reporting this issue privately to the go-git project. 🙇

AnalysisAI

Path traversal vulnerabilities in go-billy (Go filesystem abstraction library) allow authenticated attackers with network access to escape intended directory boundaries and access arbitrary filesystem locations. The vulnerability affects all versions prior to v5.9.0 and v6.0.0-alpha.1, with the osfs.ChrootOS implementation particularly impacted due to insufficient path sanitization of dot-dot-slash sequences. …

RemediationAI

Within 24 hours: Identify all applications and services using go-billy library and document current versions in use. Within 7 days: Upgrade go-billy to v5.9.0 (stable) or v6.0.0-alpha.1+ (next-generation); for v5 users, migrate away from deprecated ChrootOS to BoundOS implementation; test upgraded applications in staging. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44973 vulnerability details – vuln.today

Back