logo

Database

Local file inclusion In github.com/hashicorp/go-getter

Description

HashiCorp's go-getter library may allow arbitrary file reads HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-46602. NVD-2026-46603. OSV-2026-46604. OSV-DEBIAN-2026-46605. GCVE-2026-46606. SECURITY-TRACKER-CVE-2026-4660

References

1. https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/773112. https://github.com/gouldnicholas/CVE-2026-4660-PoC

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.