{"id":"CVE-2026-44973","summary":"Billy: Path traversal vulnerabilities","details":"Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.","aliases":["GHSA-qw64-3x98-g7q2"],"modified":"2026-06-02T03:54:12.283765539Z","published":"2026-05-28T21:26:14.734Z","related":["CGA-w99c-3vgh-qrg5"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44973.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44973.json"},{"type":"ADVISORY","url":"https://github.com/go-git/go-billy/security/advisories/GHSA-qw64-3x98-g7q2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44973"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/go-git/go-billy","events":[{"introduced":"0"},{"fixed":"237e529bb8de61704047f71a5ab1c8e6676492f1"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"5.9.0"}],"source":"AFFECTED_FIELD"}}],"versions":["v5.8.0","v5.7.0","v5.6.2","v5.6.1","v5.6.0","v5.5.0","v5.4.1","v5.4.0","v5.3.1","v5.3.0","v5.2.0","v5.1.0","v5.0.0","v4.3.2","v4.3.1","v4.3.0","v4.2.1","v4.2.0","v4.1.1","v4.1.0","v4.0.2","v4.0.1","v4.0.0","v3.1.0","v3.0.1","v3.0.0","v2.0.5","v2.0.3","v2.0.4","v2.0.2","v2.0.0","v1.0.0","v1-alpha"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44973.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}