CVE-2026-4660

HIGH 7.5

Go-getter may allow to arbitrary filesystem reads through git operations

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

9th

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

CWE	CWE-200
Vendor	hashicorp
Product	tooling
Published	Apr 9, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for hashicorp tooling

Be the first to know when new high vulnerabilities affecting hashicorp tooling are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

HashiCorp / Tooling

0 < 1.8.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

discuss.hashicorp.com: https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311