CVE-2026-10303

June 16, 2026, 8:47 p.m.

7.4
High

Description

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.

Product(s) Impacted

Vendor Product Versions
Serverco
  • Getssl
  • <2.49

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-73
External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a serverco getssl <2.49 / / / / / / /

References

https://github.com/srvrco/getssl/pull/896
https://github.com/srvrco/getssl/releases/tag/v2.50
https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/
https://www.cve.org/CVERecord?id=CVE-2023-38198
https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/

Tags

CWE-73
44488dab-36db-4358-99f9-bc116477f914
2026-06-16
CVE-2026-10303

CVSS Score

7.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: June 16, 2026, 8:16 p.m.
Last Modified: June 16, 2026, 8:47 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

44488dab-36db-4358-99f9-bc116477f914

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.