Github.Com Go-Acme Lego V4 vulnerabilities
2 known vulnerabilities affecting github.com/go-acme_lego_v4.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-40611P3HIGH≥ 0, < 4.34.02026-04-16
CVE-2026-40611 [HIGH] CWE-22 ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
### Summary
The webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing `../` sequences, causing lego to write attacker-influenced content to any path writable by the lego process.
ghsa
CVE-2025-54799P4LOW≥ 0, < 4.25.22025-08-06
CVE-2025-54799 [LOW] CWE-319 github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
## Summary
It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.
## Details
Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with
ghsaosv