What is the CVSS score of CVE-2026-4660?

CVE-2026-4660 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Red Hat are affected by CVE-2026-4660?

HashiCorp go-getter library versions through 1.8.5 contain an arbitrary file read vulnerability that allows unauthenticated attackers to access sensitive files on systems using the library for git…. A patch is available.

Red Hat CVE-2026-4660

EUVD-2026-20894 HIGH

Information Exposure (CWE-200)

2026-04-09 HashiCorp

GHSA-92mm-2pjq-r785

Information Disclosure Red Hat Hashicorp

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 14:15 euvd

EUVD-2026-20894

Analysis Generated

Apr 09, 2026 - 14:15 vuln.today

CVE Published

Apr 09, 2026 - 13:47 nvd

HIGH 7.5

DescriptionNVD

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

AnalysisAI

Arbitrary file read vulnerability in HashiCorp go-getter library versions up to 1.8.5 enables unauthenticated remote attackers to access sensitive files from the target filesystem through specially crafted git operation URLs. The vulnerability permits confidentiality breach without authentication requirements, affecting network-accessible services utilizing the library for repository cloning or fetching operations. …

RemediationAI

Within 24 hours: Identify all systems running HashiCorp go-getter v1.8.5 and earlier by auditing dependency manifests in Terraform configurations, HashiCorp product installations, and custom applications using the library; disable or restrict network access to affected services pending patch deployment. Within 7 days: Apply vendor-released patch version 1.8.6 or upgrade to go-getter/v2 branch; validate patching across all production and staging environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

CVE-2026-8903 MEDIUM This Month

4.3 May 27

Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and incl

CVE-2026-9223 Monitor

4.3 May 22

Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged

CVE-2026-9246 This Week

4.3 May 22

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated

Vendor StatusVendor

CVE-2026-4660 vulnerability details – vuln.today

Back

Red Hat CVE-2026-4660

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code