Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:01
Summary
Security fixes for CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142 applied in versions: 1.29.2-r0, 1.29.2-r1
Details
Multiple security vulnerabilities affect the temporal-server-fips package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "temporal-server-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.2-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the temporal-server-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-BT99405",
"modified": "2026-03-19T07:01:48Z",
"published": "2026-04-01T09:43:54.267145Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-BT99405.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142 applied in versions: 1.29.2-r0, 1.29.2-r1",
"upstream": [
"CVE-2026-24051",
"CVE-2026-25679",
"CVE-2026-26958",
"CVE-2026-27139",
"CVE-2026-27142"
]
}
CVE-2026-27142 (GCVE-0-2026-27142)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-16 15:21
VLAI?
EPSS
Title
URLs in meta content attribute actions are not escaped in html/template
Summary
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | html/template |
Affected:
0 , < 1.25.8
(semver)
Affected: 1.26.0-0 , < 1.26.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:21:11.058826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:21:14.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "html/template",
"product": "html/template",
"programRoutines": [
{
"name": "tTag"
},
{
"name": "escaper.escapeAction"
},
{
"name": "Template.Execute"
},
{
"name": "Template.ExecuteTemplate"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.1",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:28:14.674Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"url": "https://go.dev/issue/77954"
},
{
"url": "https://go.dev/cl/752081"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4603"
}
],
"title": "URLs in meta content attribute actions are not escaped in html/template"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27142",
"datePublished": "2026-03-06T21:28:14.674Z",
"dateReserved": "2026-02-17T19:57:28.435Z",
"dateUpdated": "2026-03-16T15:21:14.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27139 (GCVE-0-2026-27139)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-09 14:53
VLAI?
EPSS
Title
FileInfo can escape from a Root in os
Summary
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Severity ?
CWE
- CWE-363 - Race Condition Enabling Link Following
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | os |
Affected:
0 , < 1.25.8
(semver)
Affected: 1.26.0-0 , < 1.26.1 (semver) |
Credits
Miloslav Trmač of Red Hat
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T14:53:55.467850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T14:53:58.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "os",
"product": "os",
"programRoutines": [
{
"name": "File.ReadDir"
},
{
"name": "File.Readdir"
},
{
"name": "ReadDir"
},
{
"name": "dirFS.ReadDir"
},
{
"name": "rootFS.ReadDir"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.1",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Miloslav Trma\u010d of Red Hat"
}
],
"descriptions": [
{
"lang": "en",
"value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-363: Race Condition Enabling Link Following",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:28:14.451Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"url": "https://go.dev/issue/77827"
},
{
"url": "https://go.dev/cl/749480"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4602"
}
],
"title": "FileInfo can escape from a Root in os"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-27139",
"datePublished": "2026-03-06T21:28:14.451Z",
"dateReserved": "2026-02-17T19:57:28.435Z",
"dateUpdated": "2026-03-09T14:53:58.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26958 (GCVE-0-2026-26958)
Vulnerability from cvelistv5 – Published: 2026-02-19 23:01 – Updated: 2026-02-20 15:39
VLAI?
EPSS
Title
filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity
Summary
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.
Severity ?
CWE
- CWE-665 - Improper Initialization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FiloSottile | filippo.io/edwards25519 |
Affected:
< 1.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:27:08.887006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:39:04.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "filippo.io/edwards25519",
"vendor": "FiloSottile",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665: Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T23:01:26.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr"
},
{
"name": "https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb"
},
{
"name": "https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1"
}
],
"source": {
"advisory": "GHSA-fw7p-63qq-7hpr",
"discovery": "UNKNOWN"
},
"title": "filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26958",
"datePublished": "2026-02-19T23:01:26.923Z",
"dateReserved": "2026-02-16T22:20:28.611Z",
"dateUpdated": "2026-02-20T15:39:04.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25679 (GCVE-0-2026-25679)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-10 13:37
VLAI?
EPSS
Title
Incorrect parsing of IPv6 host literals in net/url
Summary
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Severity ?
7.5 (High)
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net/url |
Affected:
0 , < 1.25.8
(semver)
Affected: 1.26.0-0 , < 1.26.1 (semver) |
Credits
Masaki Hara (https://github.com/qnighy) of Wantedly
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:36:26.554241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:37:02.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/url",
"product": "net/url",
"programRoutines": [
{
"name": "parseHost"
},
{
"name": "JoinPath"
},
{
"name": "Parse"
},
{
"name": "ParseRequestURI"
},
{
"name": "URL.Parse"
},
{
"name": "URL.UnmarshalBinary"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.1",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Masaki Hara (https://github.com/qnighy) of Wantedly"
}
],
"descriptions": [
{
"lang": "en",
"value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:28:14.211Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/752180"
},
{
"url": "https://go.dev/issue/77578"
},
{
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"title": "Incorrect parsing of IPv6 host literals in net/url"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-25679",
"datePublished": "2026-03-06T21:28:14.211Z",
"dateReserved": "2026-02-05T01:33:41.943Z",
"dateUpdated": "2026-03-10T13:37:02.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24051 (GCVE-0-2026-24051)
Vulnerability from cvelistv5 – Published: 2026-02-02 19:49 – Updated: 2026-02-03 14:54
VLAI?
EPSS
Title
OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking
Summary
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Severity ?
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| open-telemetry | opentelemetry-go |
Affected:
>= 1.21.0, < 1.40.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T14:53:50.389773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T14:54:41.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-go",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.21.0, \u003c 1.40.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T19:49:10.038Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"
}
],
"source": {
"advisory": "GHSA-9h8m-3fm2-qjrq",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24051",
"datePublished": "2026-02-02T19:49:10.038Z",
"dateReserved": "2026-01-20T22:30:11.778Z",
"dateUpdated": "2026-02-03T14:54:41.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…