CVE-2026-4660Sensitive Information Exposure in Tooling

CWE-200Sensitive Information ExposureCWE-22Path Traversal13 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 87.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Hashicorp ToolingGithub.com Hashicorp Go-getter
Timeline
PublishedApr 9
Latest updateApr 10

Description

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5hashicorp/tooling< 1.8.6

🔴Vulnerability Details

3
CVEList
Go-getter may allow to arbitrary filesystem reads through git operations2026-04-09
GHSA
GHSA-92mm-2pjq-r785: HashiCorp’s go-getter library up to v12026-04-09
GHSA
HashiCorp's go-getter library may allow arbitrary file reads2026-04-09

📋Vendor Advisories

1
Red Hat
go-getter: go-getter: Arbitrary file reads via maliciously crafted URL2026-04-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-4660 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

7
Bugzilla
CVE-2026-4660 golang-github-task: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]2026-04-10
Bugzilla
CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]2026-04-10
Bugzilla
CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [epel-all]2026-04-10
Bugzilla
CVE-2026-4660 k9s: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]2026-04-10
Bugzilla
CVE-2026-4660 opentofu: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]2026-04-10
CVE-2026-4660 — Sensitive Information Exposure | cvebase