VYPR

Go modules package

github.com/go-acme/lego/v4

pkg:golang/github.com/go-acme/lego/v4

Vulnerabilities (2)

  • CVE-2026-40611HigApr 21, 2026
    affected < 4.34.0fixed 4.34.0

    Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences

  • CVE-2025-54799LowAug 7, 2025
    affected < 4.25.2fixed 4.25.2

    Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which