High severity7.5NVD Advisory· Published Apr 9, 2026· Updated Apr 13, 2026
CVE-2026-4660
CVE-2026-4660
Description
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/go-getterGo | < 1.8.6 | 1.8.6 |
Affected products
81- osv-coords81 versionspkg:apk/chainguard/cgpkg:apk/chainguard/chainctlpkg:apk/chainguard/chainctl-fipspkg:apk/chainguard/cloudbeat-8.17pkg:apk/chainguard/cloudbeat-8.19pkg:apk/chainguard/cloudbeat-9.1pkg:apk/chainguard/cloudbeat-9.2pkg:apk/chainguard/cloudbeat-9.3pkg:apk/chainguard/cloudbeat-fips-8.19pkg:apk/chainguard/cloudbeat-fips-9.1pkg:apk/chainguard/cloudbeat-fips-9.2pkg:apk/chainguard/cloudbeat-fips-9.3pkg:apk/chainguard/conftestpkg:apk/chainguard/conftest-fipspkg:apk/chainguard/crossplane-provider-terraformpkg:apk/chainguard/crossplane-provider-terraform-fipspkg:apk/chainguard/grypepkg:apk/chainguard/grype-dbpkg:apk/chainguard/grype-fipspkg:apk/chainguard/k9spkg:apk/chainguard/k9s-fipspkg:apk/chainguard/kotspkg:apk/chainguard/kubescapepkg:apk/chainguard/kubescape-serverpkg:apk/chainguard/kubescape-server-downloaderpkg:apk/chainguard/kubescape-server-fipspkg:apk/chainguard/kubescape-server-fips-downloaderpkg:apk/chainguard/opentofu-1.10pkg:apk/chainguard/opentofu-1.11pkg:apk/chainguard/opentofu-fips-1.10pkg:apk/chainguard/opentofu-fips-1.11pkg:apk/chainguard/packerpkg:apk/chainguard/packer-fipspkg:apk/chainguard/snyk-clipkg:apk/chainguard/steampipepkg:apk/chainguard/syftpkg:apk/chainguard/syft-fipspkg:apk/chainguard/taskpkg:apk/chainguard/task-fipspkg:apk/chainguard/terraformpkg:apk/chainguard/terraform-1.13pkg:apk/chainguard/terraform-1.14pkg:apk/chainguard/terraform-fips-1.13pkg:apk/chainguard/terraform-fips-1.14pkg:apk/chainguard/terragruntpkg:apk/chainguard/terragrunt-fipspkg:apk/chainguard/tflintpkg:apk/chainguard/tflint-fipspkg:apk/chainguard/tfsecpkg:apk/chainguard/trivypkg:apk/chainguard/trivy-fipspkg:apk/chainguard/trivy-operatorpkg:apk/chainguard/trivy-operator-fipspkg:apk/chainguard/wolfictlpkg:apk/chainguard/xeolpkg:apk/chainguard/xeol-fipspkg:apk/chainguard/zarfpkg:apk/chainguard/zarf-fipspkg:apk/chainguard/zotpkg:apk/wolfi/conftestpkg:apk/wolfi/grypepkg:apk/wolfi/k9spkg:apk/wolfi/kotspkg:apk/wolfi/kubescapepkg:apk/wolfi/opentofu-1.10pkg:apk/wolfi/opentofu-1.11pkg:apk/wolfi/snyk-clipkg:apk/wolfi/steampipepkg:apk/wolfi/syftpkg:apk/wolfi/taskpkg:apk/wolfi/terraformpkg:apk/wolfi/terragruntpkg:apk/wolfi/tflintpkg:apk/wolfi/tfsecpkg:apk/wolfi/trivypkg:apk/wolfi/trivy-operatorpkg:apk/wolfi/wolfictlpkg:apk/wolfi/xeolpkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:golang/github.com/hashicorp/go-getter
< 0.2.246-r1+ 80 more
- (no CPE)range: < 0.2.246-r1
- (no CPE)range: < 0.2.248-r0
- (no CPE)range: < 0.2.247-r0
- (no CPE)range: < 8.17.10-r14
- (no CPE)range: < 8.19.13-r8
- (no CPE)range: < 9.1.10-r9
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.3.3-r2
- (no CPE)range: < 8.19.13-r6
- (no CPE)range: < 9.1.10-r20
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.3.2-r8
- (no CPE)range: < 0.68.2-r0
- (no CPE)range: < 0.68.2-r0
- (no CPE)range: < 1.1.1-r11
- (no CPE)range: < 1.1.1-r8
- (no CPE)range: < 0.111.0-r3
- (no CPE)range: < 0.53.3-r5
- (no CPE)range: < 0.112.0-r6
- (no CPE)range: < 0.50.18-r18
- (no CPE)range: < 0.50.18-r14
- (no CPE)range: < 1.130.0-r4
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 1.10.9-r10
- (no CPE)range: < 1.11.6-r1
- (no CPE)range: < 1.10.9-r11
- (no CPE)range: < 1.11.8-r1
- (no CPE)range: < 1.15.3-r8
- (no CPE)range: < 1.15.3-r7
- (no CPE)range: < 1.1304.0-r2
- (no CPE)range: < 2.4.4-r2
- (no CPE)range: < 1.42.4-r2
- (no CPE)range: < 1.42.4-r1
- (no CPE)range: < 3.50.0-r0
- (no CPE)range: < 3.50.0-r0
- (no CPE)range: < 1.5.7-r47
- (no CPE)range: < 1.13.5-r13
- (no CPE)range: < 1.14.9-r0
- (no CPE)range: < 1.13.5-r18
- (no CPE)range: < 1.14.9-r0
- (no CPE)range: < 1.0.1-r0
- (no CPE)range: < 1.0.1-r0
- (no CPE)range: < 0.62.1-r2
- (no CPE)range: < 0.62.1-r2
- (no CPE)range: < 1.28.14-r35
- (no CPE)range: < 0.69.3-r12
- (no CPE)range: < 0.69.3-r7
- (no CPE)range: < 0.30.1-r6
- (no CPE)range: < 0.30.1-r5
- (no CPE)range: < 0.39.10-r0
- (no CPE)range: < 0.10.8-r34
- (no CPE)range: < 0.10.8-r32
- (no CPE)range: < 0.77.0-r0
- (no CPE)range: < 0.74.2-r5
- (no CPE)range: < 2.1.15-r12
- (no CPE)range: < 0.68.2-r0
- (no CPE)range: < 0.111.0-r3
- (no CPE)range: < 0.50.18-r18
- (no CPE)range: < 1.130.0-r4
- (no CPE)range: < 4.0.5-r0
- (no CPE)range: < 1.10.9-r10
- (no CPE)range: < 1.11.6-r1
- (no CPE)range: < 1.1304.0-r2
- (no CPE)range: < 2.4.4-r2
- (no CPE)range: < 1.42.4-r2
- (no CPE)range: < 3.50.0-r0
- (no CPE)range: < 1.5.7-r47
- (no CPE)range: < 1.0.1-r0
- (no CPE)range: < 0.62.1-r2
- (no CPE)range: < 1.28.14-r35
- (no CPE)range: < 0.69.3-r12
- (no CPE)range: < 0.30.1-r6
- (no CPE)range: < 0.39.10-r0
- (no CPE)range: < 0.10.8-r34
- (no CPE)range: < 0.77.0-r0
- (no CPE)range: < 2.1.15-r12
- (no CPE)range: < 1.8.6
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.