[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-24686":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T08:55:34.825Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":40,"aliases":50,"duplicate_of":9,"upstream":53,"downstream":54,"duplicates":65,"related":66,"reserved_at":9,"published_at":72,"modified_at":73,"state":74,"summary":75,"references_raw":83,"kevs":110,"epss":111,"epss_history":114,"metrics":365,"affected":375},"CVE-2026-24686","go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-126","Path Traversal",[],{"id":25,"name":26,"techniques":27},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":29,"name":30,"techniques":31},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":33,"name":34,"techniques":35},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":37,"name":38,"techniques":39},"CAPEC-79","Using Slashes in Alternate Encoding",[],[41],{"_key":42,"name":43,"source":44,"url":45,"maturity":46,"reliability_score":47,"verified":48,"type":9,"platforms":49,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_THEUPDATEFRAMEWORK_GO-TUF","Go Tuf","github","https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4","poc",0.3,false,[],[51,52],"GHSA-jqc5-w2xx-5vq4","GO-2026-4377",[],[55,57,59,61,63],{"_key":56},"SUSE-SU-2026:0757-1",{"_key":58},"SUSE-SU-2026:0403-1",{"_key":60},"DEBIAN-CVE-2026-24686",{"_key":62},"OPENSUSE-SU-2026:10664-1",{"_key":64},"UBUNTU-CVE-2026-24686",[],[67,68,69,70],{"_key":56},{"_key":58},{"_key":62},{"_key":71},"CGA-HJ3W-QHV4-JJC2","2026-01-27T00:45:43.422Z","2026-01-27T14:40:01.511Z","Analyzed",{"cisa_kev":48,"cisa_ransomware":48,"cisa_vendor":9,"epss_severity":76,"epss_score":77,"severity":78,"severity_score":79,"severity_version":80,"severity_source":81,"severity_vector":82,"severity_status":74},"low",0.00009,"medium",4.7,"v3.1","cve.org","CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",[84,94,101,106],{"url":45,"sources":85,"tags":88},[81,86,87],"nvd","osv_go",[89,90,91,92,93],"X Refsource CONFIRM","WEB","Advisory","Exploit","Vendor Advisory",{"url":95,"sources":96,"tags":97},"https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0",[81,86,87],[98,90,99,100],"X Refsource MISC","FIX","Patch",{"url":102,"sources":103,"tags":104},"https://github.com/theupdateframework/go-tuf",[87],[105],"PACKAGE",{"url":107,"sources":108,"tags":109},"https://nvd.nist.gov/vuln/detail/CVE-2026-24686",[87],[91],[],{"date":112,"score":77,"percentile":113},"2026-06-05",0.00988,[115,119,122,125,128,131,133,137,140,143,146,149,152,155,158,160,163,166,169,171,173,176,179,182,185,188,191,194,197,199,202,205,207,211,214,217,220,223,226,229,232,235,237,239,241,244,247,249,251,254,257,259,261,263,266,269,272,274,277,279,282,285,287,290,293,296,298,301,304,307,310,312,314,317,320,323,326,329,332,335,338,340,343,346,348,351,354,357,360,363],{"date":116,"score":117,"percentile":118},"2026-01-27",0.00006,0.00314,{"date":120,"score":117,"percentile":121},"2026-01-28",0.00316,{"date":123,"score":117,"percentile":124},"2026-01-29",0.00318,{"date":126,"score":117,"percentile":127},"2026-01-30",0.00324,{"date":129,"score":117,"percentile":130},"2026-01-31",0.00325,{"date":132,"score":117,"percentile":127},"2026-02-01",{"date":134,"score":135,"percentile":136},"2026-02-02",0.00007,0.0041,{"date":138,"score":135,"percentile":139},"2026-02-03",0.00416,{"date":141,"score":135,"percentile":142},"2026-02-04",0.00421,{"date":144,"score":135,"percentile":145},"2026-02-05",0.00423,{"date":147,"score":135,"percentile":148},"2026-02-06",0.0043,{"date":150,"score":135,"percentile":151},"2026-02-07",0.00429,{"date":153,"score":135,"percentile":154},"2026-02-08",0.00424,{"date":156,"score":135,"percentile":157},"2026-02-09",0.0042,{"date":159,"score":135,"percentile":145},"2026-02-10",{"date":161,"score":135,"percentile":162},"2026-02-11",0.00433,{"date":164,"score":135,"percentile":165},"2026-02-12",0.00437,{"date":167,"score":135,"percentile":168},"2026-02-13",0.00436,{"date":170,"score":135,"percentile":148},"2026-02-14",{"date":172,"score":135,"percentile":162},"2026-02-15",{"date":174,"score":135,"percentile":175},"2026-02-16",0.00432,{"date":177,"score":135,"percentile":178},"2026-02-17",0.00428,{"date":180,"score":135,"percentile":181},"2026-02-18",0.00483,{"date":183,"score":135,"percentile":184},"2026-02-19",0.00485,{"date":186,"score":135,"percentile":187},"2026-02-20",0.00488,{"date":189,"score":135,"percentile":190},"2026-02-21",0.00487,{"date":192,"score":135,"percentile":193},"2026-02-22",0.00486,{"date":195,"score":135,"percentile":196},"2026-02-23",0.00484,{"date":198,"score":135,"percentile":196},"2026-02-24",{"date":200,"score":135,"percentile":201},"2026-02-25",0.00532,{"date":203,"score":135,"percentile":204},"2026-02-26",0.00534,{"date":206,"score":135,"percentile":204},"2026-02-27",{"date":208,"score":209,"percentile":210},"2026-02-28",0.00008,0.00696,{"date":212,"score":209,"percentile":213},"2026-03-01",0.00695,{"date":215,"score":209,"percentile":216},"2026-03-02",0.00693,{"date":218,"score":209,"percentile":219},"2026-03-03",0.00704,{"date":221,"score":209,"percentile":222},"2026-03-04",0.00712,{"date":224,"score":209,"percentile":225},"2026-03-05",0.0072,{"date":227,"score":209,"percentile":228},"2026-03-06",0.00719,{"date":230,"score":209,"percentile":231},"2026-03-07",0.00718,{"date":233,"score":209,"percentile":234},"2026-03-08",0.00717,{"date":236,"score":209,"percentile":231},"2026-03-09",{"date":238,"score":209,"percentile":225},"2026-03-10",{"date":240,"score":209,"percentile":234},"2026-03-11",{"date":242,"score":209,"percentile":243},"2026-03-12",0.00724,{"date":245,"score":209,"percentile":246},"2026-03-13",0.00721,{"date":248,"score":209,"percentile":246},"2026-03-14",{"date":250,"score":209,"percentile":231},"2026-03-15",{"date":252,"score":209,"percentile":253},"2026-03-16",0.00716,{"date":255,"score":209,"percentile":256},"2026-03-17",0.00715,{"date":258,"score":209,"percentile":234},"2026-03-18",{"date":260,"score":209,"percentile":231},"2026-03-19",{"date":262,"score":209,"percentile":234},"2026-03-20",{"date":264,"score":209,"percentile":265},"2026-03-21",0.00771,{"date":267,"score":209,"percentile":268},"2026-03-22",0.00765,{"date":270,"score":209,"percentile":271},"2026-03-23",0.00767,{"date":273,"score":209,"percentile":268},"2026-03-24",{"date":275,"score":209,"percentile":276},"2026-03-25",0.0077,{"date":278,"score":209,"percentile":276},"2026-03-26",{"date":280,"score":135,"percentile":281},"2026-03-27",0.00584,{"date":283,"score":135,"percentile":284},"2026-03-28",0.00583,{"date":286,"score":135,"percentile":281},"2026-03-29",{"date":288,"score":135,"percentile":289},"2026-03-30",0.0058,{"date":291,"score":135,"percentile":292},"2026-03-31",0.00577,{"date":294,"score":135,"percentile":295},"2026-04-01",0.00576,{"date":297,"score":135,"percentile":289},"2026-04-02",{"date":299,"score":135,"percentile":300},"2026-04-03",0.00572,{"date":302,"score":135,"percentile":303},"2026-04-04",0.00573,{"date":305,"score":209,"percentile":306},"2026-04-05",0.00763,{"date":308,"score":209,"percentile":309},"2026-04-06",0.00764,{"date":311,"score":209,"percentile":268},"2026-04-07",{"date":313,"score":209,"percentile":309},"2026-04-08",{"date":315,"score":209,"percentile":316},"2026-04-09",0.00756,{"date":318,"score":209,"percentile":319},"2026-04-10",0.00757,{"date":321,"score":209,"percentile":322},"2026-04-11",0.00752,{"date":324,"score":209,"percentile":325},"2026-04-12",0.00746,{"date":327,"score":209,"percentile":328},"2026-04-13",0.00747,{"date":330,"score":209,"percentile":331},"2026-04-14",0.00743,{"date":333,"score":209,"percentile":334},"2026-04-15",0.00744,{"date":336,"score":209,"percentile":337},"2026-04-16",0.00748,{"date":339,"score":209,"percentile":337},"2026-04-17",{"date":341,"score":209,"percentile":342},"2026-04-18",0.00751,{"date":344,"score":209,"percentile":345},"2026-04-19",0.00749,{"date":347,"score":209,"percentile":325},"2026-04-20",{"date":349,"score":209,"percentile":350},"2026-04-21",0.00795,{"date":352,"score":209,"percentile":353},"2026-04-22",0.00797,{"date":355,"score":209,"percentile":356},"2026-04-23",0.00799,{"date":358,"score":209,"percentile":359},"2026-04-24",0.00796,{"date":361,"score":209,"percentile":362},"2026-04-25",0.00793,{"date":364,"score":209,"percentile":353},"2026-04-26",[366,371,373],{"source":81,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":367,"cvss_v4_0":9},{"baseScore":79,"baseSeverity":368,"vectorString":82,"impactScore":369,"exploitabilityScore":370},"MEDIUM",6,2.6,{"source":86,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":372,"cvss_v4_0":9},{"baseScore":79,"baseSeverity":368,"vectorString":82,"impactScore":369,"exploitabilityScore":370},{"source":87,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":374,"cvss_v4_0":9},{"baseScore":79,"baseSeverity":9,"vectorString":82,"impactScore":369,"exploitabilityScore":370},[376,387,395],{"ecosystem":377,"name":378,"vendor":379,"product":380,"cpe_part":9,"purl_type":381,"purl_namespace":379,"purl_name":380,"source":9,"versions":382},"Go","github.com/theupdateframework/go-tuf","github.com/theupdateframework","go-tuf","golang",[383],{"version":384,"is_range":385,"range_type":386,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"semver",{"ecosystem":377,"name":388,"vendor":378,"product":389,"cpe_part":9,"purl_type":381,"purl_namespace":378,"purl_name":389,"source":9,"versions":390},"github.com/theupdateframework/go-tuf/v2","v2",[391],{"version":392,"is_range":385,"range_type":386,"version_start":9,"version_start_type":9,"version_end":393,"version_end_type":394,"fixed_in":9},"lt2_4_1","2.4.1","excluding",{"ecosystem":9,"name":380,"vendor":396,"product":380,"cpe_part":397,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":398},"theupdateframework","a",[399],{"version":400,"is_range":385,"range_type":401,"version_start":402,"version_start_type":403,"version_end":393,"version_end_type":394,"fixed_in":9},"gte2.0.0_lt2.4.1","cpe","2.0.0","including"]