CVE-2026-44973

NameCVE-2026-44973
DescriptionBilly is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-go-git-go-billy (PTS)bookworm5.3.1-3vulnerable
trixie5.5.0-1vulnerable
forky, sid5.8.0-1vulnerable
golang-github-go-git-go-billy-v6 (PTS)forky, sid6~git20260226.45bd095-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-go-git-go-billysource(unstable)(unfixed)
golang-github-go-git-go-billy-v6source(unstable)(unfixed)

Notes

https://github.com/go-git/go-billy/security/advisories/GHSA-qw64-3x98-g7q2
Search for package or bug name: Reporting problems