{"id":"GO-2026-4358","summary":"Sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal in github.com/sigstore/sigstore","details":"Sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal in github.com/sigstore/sigstore","aliases":["CVE-2026-24137","GHSA-fcv2-xgw5-pqxf"],"modified":"2026-03-17T05:07:43.731023Z","published":"2026-02-19T17:28:55Z","related":["CGA-6h22-55xm-mr2f"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4358"},"references":[{"type":"ADVISORY","url":"https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf"},{"type":"FIX","url":"https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e"},{"type":"WEB","url":"https://github.com/sigstore/sigstore/releases/tag/v1.10.4"}],"affected":[{"package":{"name":"github.com/sigstore/sigstore","ecosystem":"Go","purl":"pkg:golang/github.com/sigstore/sigstore"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.10.4"}]}],"ecosystem_specific":{"imports":[{"symbols":["GetRootStatus","Initialize","NewFromEnv","NewSigstoreTufRepo","TUF.GetTarget","TUF.GetTargetsByMeta","diskCache.Get","diskCache.Set"],"path":"github.com/sigstore/sigstore/pkg/tuf"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4358.json"}}],"schema_version":"1.7.5"}