PatchSiren

go-acme CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH go-acme CVE published 2026-04-21

CVE-2026-40611

CVE-2026-40611 is a high-severity vulnerability in the Lego ACME library, a Go-based client and ACME library. Prior to version 4.34.0, the webroot HTTP-01 challenge provider in Lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing Lego to write attacker-influenced content to any path writab [truncated]