Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-4660PATCHED

hashi · tooling

Go-getter may allow to arbitrary filesystem reads through git operations

Description

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Affected Products

Vendor	Product	Versions
hashi	tooling	0

References

https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311

Related News (1 articles)

Tier C

VulDB8d ago

CVE-2026-4660 | HashiCorp Tooling up to 1.8.5 information disclosure

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

github.com/hashicorp/go-getter@1.8.6

CWECWE-200

PublishedApr 9, 2026

Trending Score9

Source articles1

Independent1

Info Completeness0/14

Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-4525EXP

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

HIGHCVE-2026-3605EXP

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

MEDIUMCVE-2026-5052

Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

HIGHCVE-2026-5807

Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Vault KVv2 Metadata and Secret Deletion Policy Bypass and Server-Side Request Forgery Vulnerabilities

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Patch Available

Apr 13, 2026