VYPR

Go modules package

github.com/theupdateframework/go-tuf/v2

pkg:golang/github.com/theupdateframework/go-tuf/v2

Vulnerabilities (4)

  • CVE-2026-24686Jan 27, 2026
    affected < 2.4.1fixed 2.4.1

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.

  • CVE-2026-23992Jan 22, 2026
    affected < 2.3.1fixed 2.3.1

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This

  • CVE-2026-23991Jan 22, 2026
    affected < 2.3.1fixed 2.3.1

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,

  • CVE-2024-47534HigOct 1, 2024
    affected < 2.0.1fixed 2.0.1

    go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but