PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10303 ServerCo CVE debrief

CVE-2026-10303 is a HIGH severity vulnerability in ServerCo getssl version 2.49 and prior. The issue involves improper validation of ACME challenge tokens, which could allow an attacker to achieve unauthorized file write/path traversal effects and potentially lead to remote command injection. This vulnerability is an instance of CWE-73, 'External control of file name or path.'

Vendor
ServerCo
Product
getssl
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-16
Original CVE updated
2026-06-17
Advisory published
2026-06-16
Advisory updated
2026-06-17

Who should care

Users of ServerCo getssl version 2.49 and prior should apply patches or updates to mitigate this vulnerability. Attackers who can supply ACME challenge responses to getssl could exploit this issue.

Technical summary

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling. This allowed a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection.

Defensive priority

HIGH

Recommended defensive actions

  • Apply patches or updates to ServerCo getssl to ensure proper validation of ACME challenge tokens.
  • Restrict access to ACME challenge responses to prevent tampering.
  • Monitor for suspicious activity related to getssl and ACME challenge responses.

Evidence notes

This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, 'External control of file name or path.'

Official resources

CVE-2026-10303 was published on 2026-06-16T20:16:26.963Z and modified on 2026-06-16T20:47:43.440Z.