DEBIAN-CVE-2026-4660

DEBIAN-CVE-2026-4660 PUBLISHED CVSS 7.5 HIGH

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:12	golang-github-hashicorp-go-getter	1.4.1-1, 1.4.1-1, 0
Debian:11	golang-github-hashicorp-go-getter	1.4.1-1, 0, 0

Exploit Intelligence

PoC for CVE-2026-4660: arbitrary file read via git checkout in hashicorp/go-getter (github-poc-repo)
PoC for CVE-2026-4660: arbitrary file read via git checkout in hashicorp/go-getter (github-poc)
.trivyignore.yaml (github-poc)

Timeline

Apr 9, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-4660 advisory

Open in Interactive Console →