cvedb.io
CVE-2026-24686
MEDIUM · CVSS 4.7
EPSS exploitation probability: 0%
Published 2026-01-27T01:16:02.790 · Last modified 2026-06-17T10:23:25.357

Summary

go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch.

Affected products

theupdateframework — go-tuf

Does this affect you?

Add your gear to cvedb and we'll alert you only when theupdateframework ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.