CVE-2026-24686 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesyst…
Medium CVSS: 4.7

CVE-2026-24686

go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch.
Vendor
Theupdateframework
Product
Go-tuf
CWE
CWE-22
Yayın Tarihi
2026-01-27 01:16:02
Güncelleme
2026-02-24 19:08:46
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-22 Go-tuf MEDIUM Theupdateframework 2026

Referanslar

https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0 https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4