Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of [truncated]
CVE-2026-44973 documents multiple path traversal vulnerabilities in go-billy, a Go filesystem abstraction library maintained by the go-git project. The vulnerability stems from insufficient path sanitization and boundary enforcement across different components of the library, allowing crafted paths using directory traversal sequences (e.g., ..) to escape intended base directories. While go-billy was not o [truncated]
A path validation vulnerability in go-git, a pure Go Git implementation library, could allow crafted repository data to write files outside the intended checkout directory, including the repository's .git directory. The issue stems from go-git lacking validations that upstream Git introduced years ago. Affected versions are prior to 5.19.1 and 6.0.0-alpha.4; fixed versions are 5.19.1 and 6.0.0-alpha.4. Th [truncated]
go-git is a pure Go implementation of Git operations used by many applications for programmatic repository interaction. This CVE documents a command injection vulnerability in the library's SSH transport layer where repository paths containing single quotes are not properly escaped when constructing remote exec commands. The vulnerability allows path contents to break out of quoted regions and append addi [truncated]
go-git is a pure Go implementation of Git used by many tools and services for programmatic repository operations. This vulnerability affects versions prior to 5.19.0 and 6.0.0-alpha.3, where malformed Git objects may be parsed differently than upstream Git would handle them. When commit or tag objects contain ambiguous or malformed headers, go-git's internal representation can expose values that diverge f [truncated]