VYPR
Vendor

Theupdateframework

Products
2
CVEs
7
Across products
7
Status
Private

Products

2

Recent CVEs

7
  • CVE-2020-15163HigSep 9, 2020
    risk 0.50cvss 8.7epss 0.01

    Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata…

  • CVE-2024-47534HigOct 1, 2024
    risk 0.46cvss epss 0.00

    go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C"…

  • CVE-2022-29173HigMay 5, 2022
    risk 0.45cvss 8.0epss 0.01

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker…

  • CVE-2021-41131HigOct 19, 2021
    risk 0.42cvss 7.5epss 0.01

    python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to…

  • CVE-2026-24686Jan 27, 2026
    risk 0.00cvss epss 0.00

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version…

  • CVE-2026-23992Jan 22, 2026
    risk 0.00cvss epss 0.00

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification.…

  • CVE-2026-23991Jan 22, 2026
    risk 0.00cvss epss 0.01

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,…