[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-23992":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T02:55:33.997Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":27,"aliases":28,"duplicate_of":9,"upstream":31,"downstream":32,"duplicates":49,"related":50,"reserved_at":9,"published_at":59,"modified_at":60,"state":61,"summary":62,"references_raw":71,"kevs":102,"epss":103,"epss_history":106,"metrics":358,"affected":372},"CVE-2026-23992","go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-347","Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.","weakness","Draft","Base",[19,23],{"id":20,"name":21,"techniques":22},"CAPEC-463","Padding Oracle Crypto Attack",[],{"id":24,"name":25,"techniques":26},"CAPEC-475","Signature Spoofing by Improper Validation",[],[],[29,30],"GHSA-fphv-w9fq-2525","GO-2026-4349",[],[33,35,37,39,41,43,45,47],{"_key":34},"SUSE-SU-2026:0757-1",{"_key":36},"SUSE-SU-2026:0777-1",{"_key":38},"SUSE-SU-2026:0403-1",{"_key":40},"OPENSUSE-SU-2026:10235-1",{"_key":42},"OPENSUSE-SU-2026:20386-1",{"_key":44},"SUSE-SU-2026:20904-1",{"_key":46},"DEBIAN-CVE-2026-23992",{"_key":48},"UBUNTU-CVE-2026-23992",[],[51,52,53,54,55,56,57],{"_key":34},{"_key":36},{"_key":38},{"_key":40},{"_key":42},{"_key":44},{"_key":58},"CGA-79R6-9887-XQHR","2026-01-22T02:20:06.845Z","2026-01-22T15:21:21.301Z","Analyzed",{"cisa_kev":63,"cisa_ransomware":63,"cisa_vendor":9,"epss_severity":64,"epss_score":65,"severity":66,"severity_score":67,"severity_version":68,"severity_source":69,"severity_vector":70,"severity_status":61},false,"low",0.00011,"high",7.5,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",[72,83,89,93,98],{"url":73,"sources":74,"tags":77},"https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525",[75,69,76],"cve.org","osv_go",[78,79,80,81,82],"X Refsource CONFIRM","WEB","Advisory","Patch","Vendor Advisory",{"url":84,"sources":85,"tags":86},"https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0",[75,69,76],[87,79,88,81],"X Refsource MISC","FIX",{"url":90,"sources":91,"tags":92},"https://nvd.nist.gov/vuln/detail/CVE-2026-23992",[76],[80],{"url":94,"sources":95,"tags":96},"https://github.com/theupdateframework/go-tuf",[76],[97],"PACKAGE",{"url":99,"sources":100,"tags":101},"https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1",[76],[79],[],{"date":104,"score":65,"percentile":105},"2026-06-05",0.01401,[107,111,114,117,120,123,126,129,132,135,138,141,144,147,150,153,156,158,161,164,166,168,170,173,176,178,181,183,187,190,193,196,199,202,205,208,211,214,217,219,222,225,228,231,234,237,240,243,245,247,249,252,255,258,261,263,265,268,270,273,276,279,282,285,287,290,292,294,296,300,303,306,309,312,314,317,320,323,326,329,331,334,336,339,342,345,348,350,353,355],{"date":108,"score":109,"percentile":110},"2026-01-22",0.00008,0.0058,{"date":112,"score":109,"percentile":113},"2026-01-23",0.00585,{"date":115,"score":109,"percentile":116},"2026-01-24",0.00586,{"date":118,"score":109,"percentile":119},"2026-01-25",0.00587,{"date":121,"score":109,"percentile":122},"2026-01-26",0.00588,{"date":124,"score":109,"percentile":125},"2026-01-27",0.00591,{"date":127,"score":109,"percentile":128},"2026-01-28",0.00535,{"date":130,"score":109,"percentile":131},"2026-01-29",0.00538,{"date":133,"score":109,"percentile":134},"2026-01-30",0.00549,{"date":136,"score":109,"percentile":137},"2026-01-31",0.00552,{"date":139,"score":109,"percentile":140},"2026-02-01",0.00555,{"date":142,"score":109,"percentile":143},"2026-02-02",0.00554,{"date":145,"score":109,"percentile":146},"2026-02-03",0.00561,{"date":148,"score":109,"percentile":149},"2026-02-04",0.00565,{"date":151,"score":109,"percentile":152},"2026-02-05",0.00568,{"date":154,"score":109,"percentile":155},"2026-02-06",0.00576,{"date":157,"score":109,"percentile":155},"2026-02-07",{"date":159,"score":109,"percentile":160},"2026-02-08",0.00575,{"date":162,"score":109,"percentile":163},"2026-02-09",0.00571,{"date":165,"score":109,"percentile":163},"2026-02-10",{"date":167,"score":109,"percentile":113},"2026-02-11",{"date":169,"score":109,"percentile":113},"2026-02-12",{"date":171,"score":109,"percentile":172},"2026-02-13",0.00583,{"date":174,"score":109,"percentile":175},"2026-02-14",0.00582,{"date":177,"score":109,"percentile":172},"2026-02-15",{"date":179,"score":109,"percentile":180},"2026-02-16",0.00579,{"date":182,"score":109,"percentile":155},"2026-02-17",{"date":184,"score":185,"percentile":186},"2026-02-18",0.00009,0.00772,{"date":188,"score":185,"percentile":189},"2026-02-19",0.00775,{"date":191,"score":185,"percentile":192},"2026-02-20",0.00778,{"date":194,"score":185,"percentile":195},"2026-02-21",0.00777,{"date":197,"score":185,"percentile":198},"2026-02-22",0.00776,{"date":200,"score":185,"percentile":201},"2026-02-23",0.00912,{"date":203,"score":185,"percentile":204},"2026-02-24",0.00902,{"date":206,"score":185,"percentile":207},"2026-02-25",0.00901,{"date":209,"score":185,"percentile":210},"2026-02-26",0.009,{"date":212,"score":185,"percentile":213},"2026-02-27",0.00908,{"date":215,"score":185,"percentile":216},"2026-02-28",0.0091,{"date":218,"score":185,"percentile":216},"2026-03-01",{"date":220,"score":185,"percentile":221},"2026-03-02",0.00905,{"date":223,"score":185,"percentile":224},"2026-03-03",0.00923,{"date":226,"score":185,"percentile":227},"2026-03-04",0.00922,{"date":229,"score":185,"percentile":230},"2026-03-05",0.00932,{"date":232,"score":185,"percentile":233},"2026-03-06",0.00929,{"date":235,"score":185,"percentile":236},"2026-03-07",0.00925,{"date":238,"score":185,"percentile":239},"2026-03-08",0.00928,{"date":241,"score":185,"percentile":242},"2026-03-09",0.00927,{"date":244,"score":185,"percentile":236},"2026-03-10",{"date":246,"score":185,"percentile":227},"2026-03-11",{"date":248,"score":185,"percentile":242},"2026-03-12",{"date":250,"score":185,"percentile":251},"2026-03-13",0.00926,{"date":253,"score":185,"percentile":254},"2026-03-14",0.0092,{"date":256,"score":185,"percentile":257},"2026-03-15",0.00917,{"date":259,"score":185,"percentile":260},"2026-03-16",0.00916,{"date":262,"score":185,"percentile":201},"2026-03-17",{"date":264,"score":185,"percentile":201},"2026-03-18",{"date":266,"score":185,"percentile":267},"2026-03-19",0.00909,{"date":269,"score":185,"percentile":213},"2026-03-20",{"date":271,"score":185,"percentile":272},"2026-03-21",0.00976,{"date":274,"score":185,"percentile":275},"2026-03-22",0.00969,{"date":277,"score":185,"percentile":278},"2026-03-23",0.00967,{"date":280,"score":185,"percentile":281},"2026-03-24",0.00961,{"date":283,"score":185,"percentile":284},"2026-03-25",0.0097,{"date":286,"score":185,"percentile":284},"2026-03-26",{"date":288,"score":185,"percentile":289},"2026-03-27",0.00974,{"date":291,"score":185,"percentile":272},"2026-03-28",{"date":293,"score":185,"percentile":272},"2026-03-29",{"date":295,"score":185,"percentile":284},"2026-03-30",{"date":297,"score":298,"percentile":299},"2026-03-31",0.0001,0.01049,{"date":301,"score":298,"percentile":302},"2026-04-01",0.01048,{"date":304,"score":298,"percentile":305},"2026-04-02",0.01055,{"date":307,"score":298,"percentile":308},"2026-04-03",0.01054,{"date":310,"score":298,"percentile":311},"2026-04-04",0.01057,{"date":313,"score":298,"percentile":311},"2026-04-05",{"date":315,"score":298,"percentile":316},"2026-04-06",0.01064,{"date":318,"score":298,"percentile":319},"2026-04-07",0.01066,{"date":321,"score":298,"percentile":322},"2026-04-08",0.01071,{"date":324,"score":298,"percentile":325},"2026-04-09",0.0107,{"date":327,"score":298,"percentile":328},"2026-04-10",0.01067,{"date":330,"score":298,"percentile":305},"2026-04-11",{"date":332,"score":298,"percentile":333},"2026-04-12",0.0105,{"date":335,"score":298,"percentile":333},"2026-04-13",{"date":337,"score":298,"percentile":338},"2026-04-14",0.01036,{"date":340,"score":298,"percentile":341},"2026-04-15",0.01037,{"date":343,"score":298,"percentile":344},"2026-04-16",0.01045,{"date":346,"score":298,"percentile":347},"2026-04-17",0.01047,{"date":349,"score":298,"percentile":308},"2026-04-18",{"date":351,"score":298,"percentile":352},"2026-04-19",0.01053,{"date":354,"score":298,"percentile":333},"2026-04-20",{"date":356,"score":298,"percentile":357},"2026-04-21",0.01115,[359,366,370],{"source":75,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":360,"cvss_v4_0":9},{"baseScore":361,"baseSeverity":362,"vectorString":363,"impactScore":364,"exploitabilityScore":365},5.9,"MEDIUM","CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",6,5.6,{"source":69,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":367,"cvss_v4_0":9},{"baseScore":67,"baseSeverity":368,"vectorString":70,"impactScore":364,"exploitabilityScore":369},"HIGH",10,{"source":76,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":371,"cvss_v4_0":9},{"baseScore":361,"baseSeverity":9,"vectorString":363,"impactScore":364,"exploitabilityScore":365},[373,384,392],{"ecosystem":374,"name":375,"vendor":376,"product":377,"cpe_part":9,"purl_type":378,"purl_namespace":376,"purl_name":377,"source":9,"versions":379},"Go","github.com/theupdateframework/go-tuf","github.com/theupdateframework","go-tuf","golang",[380],{"version":381,"is_range":382,"range_type":383,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"semver",{"ecosystem":374,"name":385,"vendor":375,"product":386,"cpe_part":9,"purl_type":378,"purl_namespace":375,"purl_name":386,"source":9,"versions":387},"github.com/theupdateframework/go-tuf/v2","v2",[388],{"version":389,"is_range":382,"range_type":383,"version_start":9,"version_start_type":9,"version_end":390,"version_end_type":391,"fixed_in":9},"lt2_3_1","2.3.1","excluding",{"ecosystem":9,"name":377,"vendor":393,"product":377,"cpe_part":394,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":395},"theupdateframework","a",[396],{"version":397,"is_range":382,"range_type":398,"version_start":399,"version_start_type":400,"version_end":390,"version_end_type":391,"fixed_in":9},"gte2.0.0_lt2.3.1","cpe","2.0.0","including"]