{
  "threat_severity" : "Important",
  "public_date" : "2026-04-09T13:47:46Z",
  "bugzilla" : {
    "description" : "go-getter: go-getter: Arbitrary file reads via maliciously crafted URL",
    "id" : "2456909",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456909"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.", "A flaw was found in the go-getter library. A remote attacker could exploit this vulnerability by providing a maliciously crafted URL during certain git operations. This could allow the attacker to perform arbitrary file reads on the file system, potentially leading to the disclosure of sensitive information." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Trusted Artifact Signer 1.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24478",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9",
    "package" : "rhtas/client-server-rhel9:1780399582"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/art-images",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "redhat-user-workloads/cli-v06",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/cli-v08",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-4660\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4660\nhttps://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311" ],
  "name" : "CVE-2026-4660",
  "csaw" : false
}