HIGH
go-acme
CVE published 2026-04-21
CVE-2026-40611
CVE-2026-40611 is a high-severity vulnerability in the Lego ACME library, a Go-based client and ACME library. Prior to version 4.34.0, the webroot HTTP-01 challenge provider in Lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing Lego to write attacker-influenced content to any path writab [truncated]