GHSA-x99g-8v8j-25j2

Suggest an improvement
Source
https://github.com/advisories/GHSA-x99g-8v8j-25j2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x99g-8v8j-25j2/GHSA-x99g-8v8j-25j2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-x99g-8v8j-25j2
Aliases
Downstream
Published
2026-04-26T06:31:16Z
Modified
2026-05-05T20:49:58.785610Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Ollama is Vulnerable to Path Traversal
Details

A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Database specific 
{
    "severity": "LOW",
    "nvd_published_at": "2026-04-26T05:16:02Z",
    "github_reviewed_at": "2026-05-05T20:33:28Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true
}
References

Affected packages

Go / github.com/ollama/ollama

Package

Name
github.com/ollama/ollama
View open source insights on deps.dev
Purl
pkg:golang/github.com/ollama/ollama

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.20.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x99g-8v8j-25j2/GHSA-x99g-8v8j-25j2.json"