Browse all 7 CVE security advisories affecting theupdateframework. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Theupdateframework is an open-source software update system designed to securely deliver software updates and patches. Historically, it has been vulnerable to remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation and insecure default configurations. While no major public security incidents have been widely documented, the framework's seven CVEs highlight potential risks in its implementation. Its security relies on cryptographic signatures and package metadata verification, but misconfigurations can undermine these protections. Organizations implementing TUF must ensure proper key management and validation to prevent supply chain attacks.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-24686 | go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names — go-tufCWE-22 | 4.7 | Medium | 2026-01-27 |
| CVE-2026-23992 | go-tuf improperly validates the configured threshold for delegations — go-tufCWE-347 | 5.9 | Medium | 2026-01-22 |
| CVE-2026-23991 | go-tuf affected by client DoS via malformed server response — go-tufCWE-617 | 5.9 | Medium | 2026-01-22 |
| CVE-2024-47534 | Incorrect delegation lookups can make go-tuf download the wrong artifact — go-tufCWE-362 | - | - | 2024-10-01 |
| CVE-2022-29173 | No protection against rollback attacks in go-tuf — go-tufCWE-354 | 8.0 | High | 2022-05-05 |
| CVE-2021-41131 | Client metadata path-traversal in python-tuf — python-tufCWE-22 | 7.5 | High | 2021-10-19 |
| CVE-2020-15163 | Invalid root may become trusted root in The Update Framework (TUF) — tufCWE-863 | 8.7 | High | 2020-09-09 |
This page lists every published CVE security advisory associated with theupdateframework. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.