{"document": {"category": "csaf_vex", "csaf_version": "2.0", "lang": "en-US", "publisher": {"category": "coordinator", "contact_details": "https://www.cisa.gov/report", "issuing_authority": "CISA", "name": "CISA", "namespace": "https://www.cisa.gov/"}, "title": "ServerCo getssl ACME shell script path injection", "tracking": {"current_release_date": "2026-06-17T18:58:50Z", "generator": {"engine": {"name": "VINCE-NT", "version": "1.15.0+build.89"}}, "id": "VA-26-168-01", "initial_release_date": "2026-06-17T18:58:50Z", "status": "final", "version": "1.0.0", "revision_history": [{"number": "1.0.0", "summary": "Initial publication", "date": "2026-06-17T18:58:50Z"}]}, "distribution": {"tlp": {"label": "WHITE"}}, "notes": [{"text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).", "title": "Legal Notice", "category": "legal_disclaimer"}, {"text": "Worldwide", "title": "Countries and Areas Deployed", "category": "other"}, {"text": "Information Technology", "title": "Critical Infrastructure Sectors", "category": "other"}, {"text": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection.", "title": "Risk Evaluation", "category": "summary"}, {"text": "Update to 2.50.", "title": "Recommended Practices", "category": "general"}, {"text": "United States", "title": "Company Headquarters Location", "category": "other"}], "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-168-01.json", "summary": "Vulnerability Advisory VA-26-168-01 CSAF", "category": "self"}]}, "product_tree": {"branches": [{"category": "vendor", "name": "ServerCo", "branches": [{"category": "product_name", "name": "getssl", "branches": [{"category": "product_version_range", "name": "<2.50", "product": {"name": "ServerCo getssl <2.50", "product_id": "CSAFPID-0001"}}, {"category": "product_version", "name": "2.50", "product": {"name": "ServerCo getssl 2.50", "product_id": "CSAFPID-0002"}}]}]}]}, "vulnerabilities": [{"cve": "CVE-2026-10303", "cwe": {"id": "CWE-73", "name": "External Control of File Name or Path"}, "notes": [{"category": "summary", "text": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:T/2026-06-17T18:41:00Z/"}], "title": "ServerCo getssl ACME shell script path injection", "product_status": {"known_affected": ["CSAFPID-0001"], "fixed": ["CSAFPID-0002"]}, "references": [{"category": "external", "summary": "github.com", "url": "https://github.com/srvrco/getssl/pull/896"}, {"category": "external", "summary": "remyhax.xyz", "url": "https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/"}, {"category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2023-38198"}, {"category": "external", "summary": "www.runzero.com", "url": "https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/"}, {"category": "external", "summary": "github.com", "url": "https://github.com/srvrco/getssl/releases/tag/v2.50"}, {"category": "external", "summary": "CVE-2026-10303", "url": "https://www.cve.org/CVERecord?id=CVE-2026-10303"}, {"category": "external", "summary": "VA-26-168-01", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-168-01.json"}], "scores": [{"cvss_v3": {"baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "products": ["CSAFPID-0001"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 2.50.", "url": "https://github.com/srvrco/getssl/pull/896", "product_ids": ["CSAFPID-0001"], "date": "2026-05-30T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 2.50.", "url": "https://github.com/srvrco/getssl/pull/896", "product_ids": ["CSAFPID-0002"], "date": "2026-05-30T00:00:00Z"}], "acknowledgments": [{"names": ["Remy (@xen0bit)"]}], "release_date": "2026-06-16T00:00:00Z"}]}