Path Traversal Vulnerabilities in Billy Filesystem Abstraction for Go
CVE-2026-44973

8.1HIGH

Key Information:

Vendor: Go-git
Status: Go-billy
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-44973?

Billy, a filesystem abstraction for the Go programming language, has multiple path traversal vulnerabilities prior to version 5.9.0. These vulnerabilities are a result of insufficient path sanitization and boundary enforcement, allowing malicious users to escape intended base directories through crafted paths (e.g., using '..'). Although Billy was not designed for strong security boundaries, the inconsistent enforcement of these boundaries across different built-in implementations can lead to unintended filesystem access. Applications utilizing go-billy for isolation may inadvertently expose sensitive data or allow unauthorized access. The identified vulnerabilities have been addressed in version 5.9.0, reinforcing the need for developers to update their implementations to ensure robust security practices.

Affected Version(s)

go-billy < 5.9.0

References

https://github.com/go-git/go-billy/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-44973 Data

JSON

Go-git

What is CVE-2026-44973?

Affected Version(s)

References

CVSS V3.1

Timeline