Home / Vulnerability Intelligence / CVE-2026-4660

CVE-2026-4660 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: April 9, 2026

HashiCorp go-getter - Path Traversal

Published: April 9, 2026Updated: April 9, 2026PoC AvailableRemote Exploitable

Overview

HashiCorp go-getter <= v1.8.5 contains a file system read vulnerability caused by maliciously crafted URLs during git operations, letting attackers read arbitrary files, exploit requires crafted URL input.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can read arbitrary files on the file system, potentially exposing sensitive information.

Mitigation

Upgrade to version v1.8.6 or later.

References

https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311

Social Media Activity(1 post)

EUVD Bot

@EUVD_Bot

Apr 9, 2026

🚨 EUVD-2026-20894 📊 Score: 7.5/10 (CVSS v3.1) 📦 Product: Tooling 🏢 Vendor: Hashicorp 📅 Updated: 2026-04-09 📝 HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affec... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-20894 #cybersecurity #infosec #euvd #cve #vulnerability

View original post

Related Resources

Details

CVE ID: CVE-2026-4660
Severity: High
CVSS Score: 7.5
Type: path_traversal
Status: new
EPSS: 0.0%
Social Posts: 1

CWE

CWE-200

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days