Go-Acme Lego vulnerabilities
2 known vulnerabilities affecting go-acme/lego.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-40611P3HIGHCVSS 8.8fixed in 4.34.02026-04-21
CVE-2026-40611 [HIGH] CWE-22 CVE-2026-40611: Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 cha
Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable b
nvd
CVE-2025-54799P4LOWCVSS 2.3fixed in 4.25.22025-08-07
CVE-2025-54799 [LOW] CWE-319 CVE-2025-54799: Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol require
nvd