[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2023-49569":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T20:55:33.689Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":40,"aliases":41,"duplicate_of":9,"upstream":44,"downstream":45,"duplicates":60,"related":61,"reserved_at":9,"published_at":88,"modified_at":89,"state":90,"summary":91,"references_raw":100,"kevs":119,"epss":120,"epss_history":123,"metrics":377,"affected":386},"CVE-2023-49569","A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.\n\nApplications are only affected if they are using the  ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using \"Plain\" versions of Open and Clone funcs (e.g. PlainClone). Applications using  BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue.\nThis is a go-git implementation issue and does not affect the upstream git cli.\n\n\n",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-126","Path Traversal",[],{"id":25,"name":26,"techniques":27},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":29,"name":30,"techniques":31},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":33,"name":34,"techniques":35},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":37,"name":38,"techniques":39},"CAPEC-79","Using Slashes in Alternate Encoding",[],[],[42,43],"GHSA-449p-3h89-pw88","GO-2024-2456",[],[46,48,50,52,54,56,58],{"_key":47},"RHSA-2024:2631",{"_key":49},"UBUNTU-CVE-2023-49569",{"_key":51},"USN-8088-1",{"_key":53},"DEBIAN-CVE-2023-49569",{"_key":55},"RHSA-2024:0880",{"_key":57},"RHSA-2024:3925",{"_key":59},"RHSA-2024:4118",[],[62,64,66,68,70,72,74,76,78,80,82,84,86],{"_key":63},"CGA-3CXH-XVCG-8CQX",{"_key":65},"CGA-4CGV-XFQX-4QW7",{"_key":67},"CGA-5X2R-H3QX-FJXX",{"_key":69},"CGA-654Q-Q25G-GVHG",{"_key":71},"CGA-86CR-2HFV-MG62",{"_key":73},"CGA-FR8H-J77F-MQ45",{"_key":75},"CGA-HR3V-VQM4-QQM2",{"_key":77},"CGA-HV74-JJ3Q-G3WR",{"_key":79},"CGA-M4HM-524X-WXH4",{"_key":81},"CGA-VMVV-WJ22-W427",{"_key":83},"CGA-W79C-92J3-WR43",{"_key":85},"CGA-W99W-QR69-JR2R",{"_key":87},"CGA-GHFJ-54HG-3XGM","2024-01-12T10:41:00.201Z","2024-11-14T14:34:02.845Z","Modified",{"cisa_kev":92,"cisa_ransomware":92,"cisa_vendor":9,"epss_severity":93,"epss_score":94,"severity":95,"severity_score":96,"severity_version":97,"severity_source":98,"severity_vector":99,"severity_status":90},false,"low",0.04027,"critical",9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[101,109,114],{"url":102,"sources":103,"tags":106},"https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88",[98,104,105],"nvd","osv_go",[107,108],"Vendor Advisory","WEB",{"url":110,"sources":111,"tags":112},"https://nvd.nist.gov/vuln/detail/CVE-2023-49569",[105],[113],"Advisory",{"url":115,"sources":116,"tags":117},"https://github.com/go-git/go-git",[105],[118],"PACKAGE",[],{"date":121,"score":94,"percentile":122},"2026-06-04",0.8869,[124,127,130,133,136,139,142,145,147,149,152,155,157,160,162,166,169,172,175,178,181,183,186,189,192,194,197,200,203,205,208,211,214,217,219,221,224,227,230,233,236,238,240,243,246,249,251,254,257,260,263,266,269,272,275,278,281,283,286,289,292,295,298,300,303,306,309,312,315,317,319,321,324,327,330,333,336,339,342,345,348,351,354,357,360,362,365,368,371,374],{"date":125,"score":94,"percentile":126},"2025-11-04",0.87972,{"date":128,"score":94,"percentile":129},"2025-11-05",0.87974,{"date":131,"score":94,"percentile":132},"2025-11-06",0.87961,{"date":134,"score":94,"percentile":135},"2025-11-07",0.87967,{"date":137,"score":94,"percentile":138},"2025-11-08",0.87969,{"date":140,"score":94,"percentile":141},"2025-11-09",0.87964,{"date":143,"score":94,"percentile":144},"2025-11-10",0.87963,{"date":146,"score":94,"percentile":138},"2025-11-11",{"date":148,"score":94,"percentile":129},"2025-11-12",{"date":150,"score":94,"percentile":151},"2025-11-13",0.87979,{"date":153,"score":94,"percentile":154},"2025-11-14",0.87983,{"date":156,"score":94,"percentile":151},"2025-11-15",{"date":158,"score":94,"percentile":159},"2025-11-16",0.87982,{"date":161,"score":94,"percentile":151},"2025-11-17",{"date":163,"score":164,"percentile":165},"2025-11-18",0.04381,0.87868,{"date":167,"score":164,"percentile":168},"2025-11-19",0.87872,{"date":170,"score":164,"percentile":171},"2025-11-20",0.87876,{"date":173,"score":94,"percentile":174},"2025-11-21",0.87994,{"date":176,"score":94,"percentile":177},"2025-11-22",0.87991,{"date":179,"score":94,"percentile":180},"2025-11-23",0.87987,{"date":182,"score":94,"percentile":180},"2025-11-24",{"date":184,"score":94,"percentile":185},"2025-11-25",0.87989,{"date":187,"score":94,"percentile":188},"2025-11-26",0.87988,{"date":190,"score":94,"percentile":191},"2025-11-27",0.8799,{"date":193,"score":94,"percentile":151},"2025-11-28",{"date":195,"score":94,"percentile":196},"2025-11-29",0.88055,{"date":198,"score":94,"percentile":199},"2025-11-30",0.88054,{"date":201,"score":94,"percentile":202},"2025-12-01",0.88113,{"date":204,"score":94,"percentile":202},"2025-12-02",{"date":206,"score":94,"percentile":207},"2025-12-03",0.88111,{"date":209,"score":94,"percentile":210},"2025-12-04",0.8805,{"date":212,"score":94,"percentile":213},"2025-12-05",0.88052,{"date":215,"score":94,"percentile":216},"2025-12-06",0.88051,{"date":218,"score":94,"percentile":216},"2025-12-07",{"date":220,"score":94,"percentile":216},"2025-12-08",{"date":222,"score":94,"percentile":223},"2025-12-09",0.88064,{"date":225,"score":94,"percentile":226},"2025-12-10",0.88085,{"date":228,"score":94,"percentile":229},"2025-12-11",0.88088,{"date":231,"score":94,"percentile":232},"2025-12-12",0.88093,{"date":234,"score":94,"percentile":235},"2025-12-13",0.88094,{"date":237,"score":94,"percentile":232},"2025-12-14",{"date":239,"score":94,"percentile":232},"2025-12-15",{"date":241,"score":94,"percentile":242},"2025-12-16",0.88099,{"date":244,"score":94,"percentile":245},"2025-12-17",0.88102,{"date":247,"score":94,"percentile":248},"2025-12-18",0.8811,{"date":250,"score":94,"percentile":207},"2025-12-19",{"date":252,"score":94,"percentile":253},"2025-12-20",0.88112,{"date":255,"score":94,"percentile":256},"2025-12-21",0.88119,{"date":258,"score":94,"percentile":259},"2025-12-22",0.88118,{"date":261,"score":94,"percentile":262},"2025-12-23",0.88123,{"date":264,"score":94,"percentile":265},"2025-12-24",0.88125,{"date":267,"score":94,"percentile":268},"2025-12-25",0.88136,{"date":270,"score":94,"percentile":271},"2025-12-26",0.88135,{"date":273,"score":94,"percentile":274},"2025-12-27",0.88179,{"date":276,"score":94,"percentile":277},"2025-12-28",0.88129,{"date":279,"score":94,"percentile":280},"2025-12-29",0.88122,{"date":282,"score":94,"percentile":277},"2025-12-30",{"date":284,"score":94,"percentile":285},"2025-12-31",0.8814,{"date":287,"score":94,"percentile":288},"2026-01-01",0.88196,{"date":290,"score":94,"percentile":291},"2026-01-02",0.88192,{"date":293,"score":94,"percentile":294},"2026-01-03",0.88191,{"date":296,"score":94,"percentile":297},"2026-01-04",0.88131,{"date":299,"score":94,"percentile":277},"2026-01-05",{"date":301,"score":94,"percentile":302},"2026-01-06",0.88134,{"date":304,"score":94,"percentile":305},"2026-01-07",0.88138,{"date":307,"score":94,"percentile":308},"2026-01-08",0.88144,{"date":310,"score":94,"percentile":311},"2026-01-09",0.88145,{"date":313,"score":94,"percentile":314},"2026-01-10",0.88146,{"date":316,"score":94,"percentile":285},"2026-01-11",{"date":318,"score":94,"percentile":305},"2026-01-12",{"date":320,"score":94,"percentile":268},"2026-01-13",{"date":322,"score":94,"percentile":323},"2026-01-14",0.8815,{"date":325,"score":94,"percentile":326},"2026-01-15",0.88153,{"date":328,"score":94,"percentile":329},"2026-01-16",0.88157,{"date":331,"score":94,"percentile":332},"2026-01-17",0.88158,{"date":334,"score":94,"percentile":335},"2026-01-18",0.88159,{"date":337,"score":94,"percentile":338},"2026-01-19",0.88156,{"date":340,"score":94,"percentile":341},"2026-01-20",0.8816,{"date":343,"score":94,"percentile":344},"2026-01-21",0.88166,{"date":346,"score":94,"percentile":347},"2026-01-22",0.88169,{"date":349,"score":94,"percentile":350},"2026-01-23",0.88182,{"date":352,"score":94,"percentile":353},"2026-01-24",0.88189,{"date":355,"score":94,"percentile":356},"2026-01-25",0.88184,{"date":358,"score":94,"percentile":359},"2026-01-26",0.88183,{"date":361,"score":94,"percentile":356},"2026-01-27",{"date":363,"score":94,"percentile":364},"2026-01-28",0.88186,{"date":366,"score":94,"percentile":367},"2026-01-29",0.8819,{"date":369,"score":94,"percentile":370},"2026-01-30",0.88195,{"date":372,"score":94,"percentile":373},"2026-01-31",0.88187,{"date":375,"score":94,"percentile":376},"2026-02-01",0.88251,[378,382,384],{"source":98,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":379,"cvss_v4_0":9},{"baseScore":96,"baseSeverity":380,"vectorString":99,"impactScore":96,"exploitabilityScore":381},"CRITICAL",10,{"source":104,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":383,"cvss_v4_0":9},{"baseScore":96,"baseSeverity":380,"vectorString":99,"impactScore":96,"exploitabilityScore":381},{"source":105,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":385,"cvss_v4_0":9},{"baseScore":96,"baseSeverity":9,"vectorString":99,"impactScore":96,"exploitabilityScore":381},[387,400,403,414],{"ecosystem":9,"name":388,"vendor":389,"product":388,"cpe_part":390,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":391},"go-git","go-git_project","a",[392],{"version":393,"is_range":394,"range_type":395,"version_start":396,"version_start_type":397,"version_end":398,"version_end_type":399,"fixed_in":9},"gte4.0.0_lt5.11.0",true,"cpe","4.0.0","including","5.11.0","excluding",{"ecosystem":9,"name":388,"vendor":388,"product":388,"cpe_part":390,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":401},[402],{"version":398,"is_range":92,"range_type":98,"version_start":398,"version_start_type":397,"version_end":398,"version_end_type":397,"fixed_in":9},{"ecosystem":404,"name":405,"vendor":406,"product":407,"cpe_part":9,"purl_type":408,"purl_namespace":406,"purl_name":407,"source":9,"versions":409},"Go","github.com/go-git/go-git/v5","github.com/go-git/go-git","v5","golang",[410],{"version":411,"is_range":394,"range_type":412,"version_start":413,"version_start_type":397,"version_end":398,"version_end_type":399,"fixed_in":9},"gte5_0_0_lt5_11_0","semver","5.0.0",{"ecosystem":404,"name":415,"vendor":416,"product":417,"cpe_part":9,"purl_type":408,"purl_namespace":416,"purl_name":417,"source":9,"versions":418},"gopkg.in/src-d/go-git.v4","gopkg.in/src-d","go-git.v4",[419,422],{"version":420,"is_range":394,"range_type":412,"version_start":421,"version_start_type":397,"version_end":9,"version_end_type":9,"fixed_in":9},"gte4_7_1","4.7.1",{"version":423,"is_range":394,"range_type":412,"version_start":396,"version_start_type":397,"version_end":424,"version_end_type":397,"fixed_in":9},"gte4_0_0_lte4_13_1","4.13.1"]