{"id":"GO-2026-4377","summary":"Path traversal in TAP 4 multirepo client allows arbitrary file write via repo names in github.com/theupdateframework/go-tuf","details":"Path traversal in TAP 4 multirepo client allows arbitrary file write via repo names in github.com/theupdateframework/go-tuf","aliases":["CVE-2026-24686","GHSA-jqc5-w2xx-5vq4"],"modified":"2026-03-17T05:07:51.063897Z","published":"2026-02-02T21:05:55Z","related":["CGA-hj3w-qhv4-jjc2"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4377"},"references":[{"type":"ADVISORY","url":"https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4"},{"type":"FIX","url":"https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0"}],"affected":[{"package":{"name":"github.com/theupdateframework/go-tuf/v2","ecosystem":"Go","purl":"pkg:golang/github.com/theupdateframework/go-tuf/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4377.json"}}],"schema_version":"1.7.5"}