[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-23991":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T02:55:33.997Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":27,"aliases":28,"duplicate_of":9,"upstream":31,"downstream":32,"duplicates":49,"related":50,"reserved_at":9,"published_at":61,"modified_at":62,"state":63,"summary":64,"references_raw":73,"kevs":105,"epss":106,"epss_history":109,"metrics":383,"affected":397},"CVE-2026-23991","go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.",null,[11,19],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-617","Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.","weakness","Draft","Base",[],{"_key":20,"id":20,"name":21,"description":22,"type":15,"status":23,"abstraction":24,"likelihood_of_exploit":25,"capec":26},"CWE-754","Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.","Incomplete","Class","Medium",[],[],[29,30],"GHSA-846p-jg2w-w324","GO-2026-4348",[],[33,35,37,39,41,43,45,47],{"_key":34},"SUSE-SU-2026:0757-1",{"_key":36},"SUSE-SU-2026:0777-1",{"_key":38},"SUSE-SU-2026:0403-1",{"_key":40},"OPENSUSE-SU-2026:10235-1",{"_key":42},"OPENSUSE-SU-2026:20386-1",{"_key":44},"SUSE-SU-2026:20904-1",{"_key":46},"DEBIAN-CVE-2026-23991",{"_key":48},"UBUNTU-CVE-2026-23991",[],[51,52,53,54,55,56,57,59],{"_key":34},{"_key":36},{"_key":38},{"_key":40},{"_key":42},{"_key":44},{"_key":58},"CGA-Q2CX-3RHG-VP74",{"_key":60},"CGA-59J7-6P4F-JQGQ","2026-01-22T02:16:37.294Z","2026-01-22T15:35:31.770Z","Analyzed",{"cisa_kev":65,"cisa_ransomware":65,"cisa_vendor":9,"epss_severity":66,"epss_score":67,"severity":68,"severity_score":69,"severity_version":70,"severity_source":71,"severity_vector":72,"severity_status":63},false,"low",0.00037,"high",7.5,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",[74,84,91,96,100],{"url":75,"sources":76,"tags":79},"https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324",[77,71,78],"cve.org","osv_go",[80,81,82,83],"X Refsource CONFIRM","WEB","Advisory","Vendor Advisory",{"url":85,"sources":86,"tags":87},"https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6",[77,71,78],[88,81,89,90],"X Refsource MISC","FIX","Patch",{"url":92,"sources":93,"tags":94},"https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1",[77,71,78],[88,81,95],"Release Notes",{"url":97,"sources":98,"tags":99},"https://nvd.nist.gov/vuln/detail/CVE-2026-23991",[78],[82],{"url":101,"sources":102,"tags":103},"https://github.com/theupdateframework/go-tuf",[78],[104],"PACKAGE",[],{"date":107,"score":67,"percentile":108},"2026-06-05",0.11455,[110,114,117,120,123,126,128,132,135,138,141,144,147,150,153,156,159,162,165,168,171,174,177,180,183,186,189,192,196,199,202,205,208,212,215,218,221,224,227,230,233,236,239,242,245,248,251,254,256,259,262,265,268,271,274,277,280,283,286,289,292,295,298,301,304,307,310,313,316,320,323,326,329,332,335,338,341,344,347,350,353,356,359,362,365,368,371,374,377,380],{"date":111,"score":112,"percentile":113},"2026-01-22",0.00015,0.0226,{"date":115,"score":112,"percentile":116},"2026-01-23",0.02271,{"date":118,"score":112,"percentile":119},"2026-01-24",0.0229,{"date":121,"score":112,"percentile":122},"2026-01-25",0.02283,{"date":124,"score":112,"percentile":125},"2026-01-26",0.02279,{"date":127,"score":112,"percentile":122},"2026-01-27",{"date":129,"score":130,"percentile":131},"2026-01-28",0.0002,0.04257,{"date":133,"score":130,"percentile":134},"2026-01-29",0.04272,{"date":136,"score":130,"percentile":137},"2026-01-30",0.04275,{"date":139,"score":130,"percentile":140},"2026-01-31",0.04251,{"date":142,"score":130,"percentile":143},"2026-02-01",0.04354,{"date":145,"score":130,"percentile":146},"2026-02-02",0.04339,{"date":148,"score":130,"percentile":149},"2026-02-03",0.04327,{"date":151,"score":130,"percentile":152},"2026-02-04",0.04321,{"date":154,"score":130,"percentile":155},"2026-02-05",0.04375,{"date":157,"score":130,"percentile":158},"2026-02-06",0.04362,{"date":160,"score":130,"percentile":161},"2026-02-07",0.04388,{"date":163,"score":130,"percentile":164},"2026-02-08",0.04379,{"date":166,"score":130,"percentile":167},"2026-02-09",0.0436,{"date":169,"score":130,"percentile":170},"2026-02-10",0.04353,{"date":172,"score":130,"percentile":173},"2026-02-11",0.04455,{"date":175,"score":130,"percentile":176},"2026-02-12",0.04524,{"date":178,"score":130,"percentile":179},"2026-02-13",0.04548,{"date":181,"score":130,"percentile":182},"2026-02-14",0.04582,{"date":184,"score":130,"percentile":185},"2026-02-15",0.04604,{"date":187,"score":130,"percentile":188},"2026-02-16",0.04603,{"date":190,"score":130,"percentile":191},"2026-02-17",0.04586,{"date":193,"score":194,"percentile":195},"2026-02-18",0.00022,0.05449,{"date":197,"score":194,"percentile":198},"2026-02-19",0.05519,{"date":200,"score":194,"percentile":201},"2026-02-20",0.05475,{"date":203,"score":194,"percentile":204},"2026-02-21",0.05485,{"date":206,"score":194,"percentile":207},"2026-02-22",0.05484,{"date":209,"score":210,"percentile":211},"2026-02-23",0.00024,0.06101,{"date":213,"score":210,"percentile":214},"2026-02-24",0.06092,{"date":216,"score":210,"percentile":217},"2026-02-25",0.06055,{"date":219,"score":210,"percentile":220},"2026-02-26",0.0602,{"date":222,"score":210,"percentile":223},"2026-02-27",0.06051,{"date":225,"score":210,"percentile":226},"2026-02-28",0.06052,{"date":228,"score":210,"percentile":229},"2026-03-01",0.06129,{"date":231,"score":210,"percentile":232},"2026-03-02",0.06093,{"date":234,"score":210,"percentile":235},"2026-03-03",0.06106,{"date":237,"score":210,"percentile":238},"2026-03-04",0.0601,{"date":240,"score":210,"percentile":241},"2026-03-05",0.06037,{"date":243,"score":210,"percentile":244},"2026-03-06",0.06017,{"date":246,"score":210,"percentile":247},"2026-03-07",0.06025,{"date":249,"score":210,"percentile":250},"2026-03-08",0.06009,{"date":252,"score":210,"percentile":253},"2026-03-09",0.05976,{"date":255,"score":210,"percentile":253},"2026-03-10",{"date":257,"score":210,"percentile":258},"2026-03-11",0.05994,{"date":260,"score":210,"percentile":261},"2026-03-12",0.06016,{"date":263,"score":210,"percentile":264},"2026-03-13",0.06036,{"date":266,"score":210,"percentile":267},"2026-03-14",0.05977,{"date":269,"score":210,"percentile":270},"2026-03-15",0.05967,{"date":272,"score":210,"percentile":273},"2026-03-16",0.05953,{"date":275,"score":210,"percentile":276},"2026-03-17",0.05939,{"date":278,"score":210,"percentile":279},"2026-03-18",0.05932,{"date":281,"score":210,"percentile":282},"2026-03-19",0.0597,{"date":284,"score":210,"percentile":285},"2026-03-20",0.05984,{"date":287,"score":210,"percentile":288},"2026-03-21",0.06203,{"date":290,"score":210,"percentile":291},"2026-03-22",0.06197,{"date":293,"score":210,"percentile":294},"2026-03-23",0.06175,{"date":296,"score":210,"percentile":297},"2026-03-24",0.06163,{"date":299,"score":210,"percentile":300},"2026-03-25",0.06216,{"date":302,"score":210,"percentile":303},"2026-03-26",0.06271,{"date":305,"score":210,"percentile":306},"2026-03-27",0.06267,{"date":308,"score":210,"percentile":309},"2026-03-28",0.06272,{"date":311,"score":210,"percentile":312},"2026-03-29",0.06262,{"date":314,"score":210,"percentile":315},"2026-03-30",0.06244,{"date":317,"score":318,"percentile":319},"2026-03-31",0.00025,0.06553,{"date":321,"score":318,"percentile":322},"2026-04-01",0.06558,{"date":324,"score":318,"percentile":325},"2026-04-02",0.06627,{"date":327,"score":318,"percentile":328},"2026-04-03",0.06636,{"date":330,"score":318,"percentile":331},"2026-04-04",0.06671,{"date":333,"score":318,"percentile":334},"2026-04-05",0.06666,{"date":336,"score":318,"percentile":337},"2026-04-06",0.06632,{"date":339,"score":318,"percentile":340},"2026-04-07",0.06651,{"date":342,"score":318,"percentile":343},"2026-04-08",0.067,{"date":345,"score":318,"percentile":346},"2026-04-09",0.06734,{"date":348,"score":318,"percentile":349},"2026-04-10",0.06746,{"date":351,"score":318,"percentile":352},"2026-04-11",0.06733,{"date":354,"score":318,"percentile":355},"2026-04-12",0.06725,{"date":357,"score":318,"percentile":358},"2026-04-13",0.06718,{"date":360,"score":318,"percentile":361},"2026-04-14",0.06634,{"date":363,"score":318,"percentile":364},"2026-04-15",0.06644,{"date":366,"score":318,"percentile":367},"2026-04-16",0.06655,{"date":369,"score":318,"percentile":370},"2026-04-17",0.06665,{"date":372,"score":318,"percentile":373},"2026-04-18",0.06646,{"date":375,"score":318,"percentile":376},"2026-04-19",0.06626,{"date":378,"score":318,"percentile":379},"2026-04-20",0.0661,{"date":381,"score":318,"percentile":382},"2026-04-21",0.06802,[384,391,395],{"source":77,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":385,"cvss_v4_0":9},{"baseScore":386,"baseSeverity":387,"vectorString":388,"impactScore":389,"exploitabilityScore":390},5.9,"MEDIUM","CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",6,5.6,{"source":71,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":392,"cvss_v4_0":9},{"baseScore":69,"baseSeverity":393,"vectorString":72,"impactScore":389,"exploitabilityScore":394},"HIGH",10,{"source":78,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":396,"cvss_v4_0":9},{"baseScore":386,"baseSeverity":9,"vectorString":388,"impactScore":389,"exploitabilityScore":390},[398,409,417],{"ecosystem":399,"name":400,"vendor":401,"product":402,"cpe_part":9,"purl_type":403,"purl_namespace":401,"purl_name":402,"source":9,"versions":404},"Go","github.com/theupdateframework/go-tuf","github.com/theupdateframework","go-tuf","golang",[405],{"version":406,"is_range":407,"range_type":408,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"semver",{"ecosystem":399,"name":410,"vendor":400,"product":411,"cpe_part":9,"purl_type":403,"purl_namespace":400,"purl_name":411,"source":9,"versions":412},"github.com/theupdateframework/go-tuf/v2","v2",[413],{"version":414,"is_range":407,"range_type":408,"version_start":9,"version_start_type":9,"version_end":415,"version_end_type":416,"fixed_in":9},"lt2_3_1","2.3.1","excluding",{"ecosystem":9,"name":402,"vendor":418,"product":402,"cpe_part":419,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":420},"theupdateframework","a",[421],{"version":422,"is_range":407,"range_type":423,"version_start":424,"version_start_type":425,"version_end":415,"version_end_type":416,"fixed_in":9},"gte2.0.0_lt2.3.1","cpe","2.0.0","including"]