CVE-2026-44973

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-44973

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44973.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-44973

Aliases

GHSA-qw64-3x98-g7q2

Downstream

CLEANSTART-2026-OS93204

CLEANSTART-2026-UY49411

DEBIAN-CVE-2026-44973

MINI-22w9-f6jr-qjx9

MINI-22wp-x7jr-5cxj

MINI-244m-8hpr-mc45

MINI-25qr-m9j8-f448

MINI-285f-qq36-4948

MINI-297j-wxvv-p25x

MINI-2m56-r4wj-gx76

MINI-2ph5-8p8v-hcc3

MINI-2wv9-7767-42w5

MINI-32hx-mwj6-q3rv

MINI-32p9-v882-3rxq

MINI-393v-7cpp-wpw2

MINI-3q4g-94r3-gcgp

MINI-3qgc-qrg7-r563

MINI-3x98-fp6p-mrwj

MINI-3xcr-mphg-29r4

MINI-423p-w8wm-xrj2

MINI-445j-g3jp-55hc

MINI-445p-c3xp-5grm

MINI-464v-9qh7-qf57

MINI-468m-gjpv-39g5

MINI-46wm-c9rj-85w7

MINI-4qjv-9x76-q43q

MINI-576v-9j3g-qxj7

MINI-5c34-vfwg-cf3q

MINI-5fh2-3m5q-wv3c

MINI-5fm3-xv2q-hfgj

MINI-5p2w-jhjg-7w3q

MINI-5rh7-gw82-6pc4

MINI-5vm4-v75x-2gcr

MINI-68vf-fjp9-pjp3

MINI-6g2p-3fhm-r59h

MINI-6h6x-gj72-cj49

MINI-6jjx-g8mx-h3gj

MINI-6wf5-hm88-5w7h

MINI-6x73-xh6f-h4v8

MINI-7267-3rh2-pgj2

MINI-77v4-f966-pjf4

MINI-7ghp-wf97-pw45

MINI-7j2g-jhg9-wjhv

MINI-7v9r-m976-cc67

MINI-833p-rcr2-jvp6

MINI-89p3-xhf6-2q3g

MINI-8g5w-p3gc-63f3

MINI-8mjw-335h-843g

MINI-8qr6-39wx-xqf3

MINI-8xwv-xjr2-36pm

MINI-9287-4939-rvvh

MINI-97qj-rh9x-mgfw

MINI-9c9f-pxpj-6h2q

MINI-9cjh-3vx5-qg3w

MINI-9grv-prqr-ch8x

MINI-9h43-5g5m-mr5j

MINI-9h69-j9gr-8g93

MINI-9m53-6xpv-7r8m

MINI-9q95-73gr-33x2

MINI-9rpg-6h85-gccj

MINI-9rxh-gv88-273q

MINI-cg4j-f6jx-xr9r

MINI-cp8h-cwhx-gxr2

MINI-f6f7-3q88-gq2j

MINI-f822-6cjv-3cxj

MINI-fm3g-5w5g-p6x6

MINI-fpg8-q2jq-7fwr

MINI-fpqx-2gm4-7j59

MINI-g2r4-m59m-jhh4

MINI-g2vh-wcpv-hgg8

MINI-g3ff-3964-p7cg

MINI-g4qm-cjx4-879g

MINI-g863-xcxv-m848

MINI-gcfq-cvjq-6h36

MINI-ggrh-w467-2p56

MINI-gj3c-q7cx-v47g

MINI-gmg7-6mgj-qhhr

MINI-h2mm-6m79-3vr5

MINI-h4cc-r8q4-6w5g

MINI-h6g6-q8pc-hh4f

MINI-hc9w-x8jw-qc75

MINI-hcrf-gvg9-xg6j

MINI-hf33-vjrw-j9jv

MINI-hf45-7p3q-c4r3

MINI-hg25-9r48-5w8v

MINI-hgjp-9j6h-8j8j

MINI-hvm8-f9x7-vgv3

MINI-hvxp-gr8m-4q6x

MINI-hx47-mw98-g5vh

MINI-hx58-48m8-wj7m

MINI-j2h9-w953-mw2r

MINI-j5x5-cr4g-vjr7

MINI-j69h-gpqp-75cp

MINI-j963-7qvv-c52x

MINI-jgm2-p6r5-7w87

MINI-jhvr-v6m2-rxf2

MINI-jq5f-8v9m-mwjh

MINI-jrc7-v9c8-cv4v

MINI-m5c8-hh6m-wcxx

MINI-m8ww-34v7-4pgc

MINI-m9vq-7vp6-886x

MINI-mg24-v755-pj27

MINI-mgq5-9qj7-mpc8

MINI-mgrc-jgfg-4h4j

MINI-mhmc-jjpv-6qxv

MINI-mhrf-fjq8-hvvq

MINI-mjmm-vp66-mxjc

MINI-mqp3-46f9-7p37

MINI-mw97-pr43-wwrw

MINI-p2r2-wxwh-pr5f

MINI-p823-g969-jpj2

MINI-p966-gh94-5f7v

MINI-pgjw-gwxc-rm4g

MINI-pmh5-jr8j-5p9v

MINI-ppvx-fq59-w5fg

MINI-q3m3-hp37-mwrc

MINI-qc6w-6r7f-4g69

MINI-qcpm-4j9v-phj8

MINI-qfpp-6g3x-4rm7

MINI-qgpf-hv99-xcph

MINI-qjrp-2863-9xp9

MINI-qjxc-56fv-8xx8

MINI-qwh8-qqrc-mgc3

MINI-qx52-mhj3-2r42

MINI-r9j3-q452-7fx2

MINI-r9jm-f3v9-9499

MINI-r9xm-qmqq-v2q3

MINI-rc87-mgmr-cqwv

MINI-rv3f-j8rf-c25f

MINI-rxr4-x4cp-888x

MINI-v48q-9c95-47vx

MINI-v4hp-g83w-2232

MINI-v77p-8g43-hm73

MINI-v7pw-xrj6-9gmm

MINI-v8rv-v4fw-23hv

MINI-vfph-2jfx-fcx6

MINI-vw32-p44w-ff38

MINI-w34w-5w5h-9cj3

MINI-w39c-wg63-fppr

MINI-w5gf-h4f6-rq5r

MINI-w75c-6746-66mg

MINI-w7p2-7829-qqr3

MINI-x3pq-p839-wcf6

MINI-x7m4-8p3h-v5v8

MINI-x8mf-vv94-9wp6

MINI-xc6f-4vwf-cfgj

MINI-xgfr-vcpj-gpcm

MINI-xq9p-gv5p-mr6g

MINI-xv26-rfv6-q3xq

MINI-xvwf-xh72-j2m8

ROOT-APP-GOBINARY-CVE-2026-44973

UBUNTU-CVE-2026-44973

Related

CGA-w99c-3vgh-qrg5

Published

2026-05-28T21:26:14.734Z

Modified

2026-06-02T03:54:12.283765539Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Billy: Path traversal vulnerabilities

Details

Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44973.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/go-git/go-billy

Affected ranges

Type

GIT

Repo

https://github.com/go-git/go-billy

Events

Introduced

Fixed

237e529bb8de61704047f71a5ab1c8e6676492f1

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.9.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

Other

v1-alpha

v1.*

v1.0.0

v2.*

v2.0.0

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v3.*

v3.0.0

v3.0.1

v3.1.0

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.1.0

v4.1.1

v4.2.0

v4.2.1

v4.3.0

v4.3.1

v4.3.2

v5.*

v5.0.0

v5.1.0

v5.2.0

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.5.0

v5.6.0

v5.6.1

v5.6.2

v5.7.0

v5.8.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44973.json"