CVE-2026-4660 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-4660 PUBLISHED CVSS 7.5 HIGH

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

EPSS 0.03% · 8.9th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.03%

8.9th percentile

Affected Products

Vendor	Product	Versions
HashiCorp	Tooling	0

Timeline

Apr 9, 2026 CVE Published
Apr 9, 2026 PoC Published
Apr 9, 2026 PoC Published
Apr 9, 2026 Security Advisory
Apr 10, 2026 CVE Updated
Apr 10, 2026 EPSS Score

References

Open in Interactive Console →