CVE-2026-33762

EPSS 0.01%
Veröffentlicht 31.03.2026 13:47:42
Zuletzt bearbeitet 02.04.2026 16:49:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Go-git Project ≫ Go-git SwPlatformgo Version < 5.17.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	2.8	1.3	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8

Vendor Advisory

https://github.com/go-git/go-git/releases/tag/v5.17.1

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33762

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33762

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33762

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33762