CVE-2026-44973— Billy: Path traversal vulnerabilities
Possible ATT&CK Techniques 1AI
T1083 · File and Directory DiscoveryGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44973
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Billy: Path traversal vulnerabilities
Source: NVD (National Vulnerability Database)
Vulnerability Description
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
go-billy 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
go-billy是go-git开源的一个文件系统抽象接口库。 go-billy 5.9.0之前版本存在路径遍历漏洞,该漏洞源于多个组件中存在路径遍历问题,路径清理和边界执行不足可能导致访问意外文件系统位置。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44973
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44973
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-44973 (1)
IV. Related Vulnerabilities
Same vendor: go-git
- CVE-2026-44740
go-billy: Lack of depth and cycle detection in symlink resol - CVE-2026-45570
go-git: Improper single-quote escaping in go-git SSH transpo - CVE-2026-45571
go-git: Crafted repositories may modify main and submodule . - CVE-2026-45022
go-git: Improper parsing of specially crafted objects may le - CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP
Same weakness: CWE-22
- CVE-2026-41412
alf.io vulnerable to Arbitrary File Read and Exfil via simpl - CVE-2026-49144
BrowserStack Runner 0.9.5 Path Traversal via _default HTTP H - CVE-2026-32685
Path Traversal in gleam docs build via documentation.pages A - CVE-2026-43965
Path Traversal in build/packages/packages.toml Allows Arbitr - CVE-2026-49136
Banana Slides 0.4.0 Path Traversal via generate_image() in a
V. Comments for CVE-2026-44973
No comments yet