CVE-2026-10303

Source
https://cve.org/CVERecord?id=CVE-2026-10303
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10303.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10303
Published
2026-06-16T18:24:43.712Z
Modified
2026-07-08T08:12:22.445319646Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
ServerCo getssl ACME shell script path injection
Details

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10303.json",
    "cna_assigner": "runZero",
    "cwe_ids": [
        "CWE-73"
    ]
}
References

Affected packages

Git / github.com/srvrco/getssl

Affected ranges

Type
GIT
Repo
https://github.com/srvrco/getssl
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.49"
        }
    ]
}

Affected versions

2.*
2.29
2.48
2.49
2.50
Other
push
v1.*
v1.0
v1.84
v1.85
v1.87
v1.92
v2.*
v2.00
v2.03
v2.09
v2.10
v2.11
v2.12
v2.13
v2.14
v2.15
v2.16
v2.17
v2.18
v2.19
v2.20
v2.21
v2.22
v2.24
v2.26
v2.27
v2.28
v2.29
v2.30
v2.31
v2.32
v2.33
v2.34
v2.35
v2.36
v2.37
v2.38
v2.39
v2.41
v2.43
v2.44
v2.45
v2.46
v2.47
v2.49

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10303.json"