CVE-2026-10303

ServerCo getssl ACME shell script path injection

CVSS 7.4 HIGHEPSS 0.8%CWE-73

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.4EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

16 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Productos afectados

ServerCo · getssl

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/srvrco/getssl/pull/896 https://github.com/srvrco/getssl/releases/tag/v2.50 https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/https://www.cve.org/CVERecord?id=CVE-2023-38198 https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/