Skip to main content

Go Tuf

4 CVEs product

Monthly

CVE-2026-24686 Go MEDIUM POC PATCH This Month

Path traversal in go-tuf versions 2.0.0 through 2.4.0 allows local attackers with low privileges to write metadata files outside the intended cache directory by injecting directory traversal sequences into the repository name parameter. An attacker supplying a malicious map file can escape the LocalMetadataDir boundary and create directories within the process's filesystem permissions. Public exploit code exists; update to version 2.4.1 or later.

Golang Go Tuf Red Hat Suse
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-23992 Go MEDIUM PATCH This Month

Signature threshold validation bypass in go-tuf versions 2.0.0 through 2.3.0 allows a compromised or misconfigured TUF repository to disable signature verification by setting thresholds to zero, enabling attackers to tamper with metadata files without detection. This affects systems relying on go-tuf for secure software update verification, potentially allowing unauthorized modifications to trusted metadata both at rest and in transit. A patch is available in version 2.3.1.

Golang Go Tuf Red Hat Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-23991 Go MEDIUM PATCH This Month

go-tuf is a Go implementation of The Update Framework (TUF). [CVSS 5.9 MEDIUM]

Golang Denial Of Service Go Tuf Red Hat Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2022-29173 Go HIGH PATCH This Week

go-tuf is a Go implementation of The Update Framework (TUF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go Tuf
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
EPSS 0% CVSS 4.7
MEDIUM POC PATCH This Month

Path traversal in go-tuf versions 2.0.0 through 2.4.0 allows local attackers with low privileges to write metadata files outside the intended cache directory by injecting directory traversal sequences into the repository name parameter. An attacker supplying a malicious map file can escape the LocalMetadataDir boundary and create directories within the process's filesystem permissions. Public exploit code exists; update to version 2.4.1 or later.

Golang Go Tuf Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Signature threshold validation bypass in go-tuf versions 2.0.0 through 2.3.0 allows a compromised or misconfigured TUF repository to disable signature verification by setting thresholds to zero, enabling attackers to tamper with metadata files without detection. This affects systems relying on go-tuf for secure software update verification, potentially allowing unauthorized modifications to trusted metadata both at rest and in transit. A patch is available in version 2.3.1.

Golang Go Tuf Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

go-tuf is a Go implementation of The Update Framework (TUF). [CVSS 5.9 MEDIUM]

Golang Denial Of Service Go Tuf +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

go-tuf is a Go implementation of The Update Framework (TUF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go Tuf
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy