{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "2.49"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "b0b856df1eb1265ce56785eb1d2af880669b8788"
            }
          ],
          "repo": "https://github.com/srvrco/getssl",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "runZero",
    "cwe_ids": [
      "CWE-73"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10303.json"
  },
  "details": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues.",
  "id": "CVE-2026-10303",
  "modified": "2026-07-08T05:37:44.522541701Z",
  "published": "2026-06-16T18:24:43.712Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38198"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10303.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/srvrco/getssl/releases/tag/v2.50"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10303"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/"
    },
    {
      "type": "FIX",
      "url": "https://github.com/srvrco/getssl/pull/896"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/srvrco/getssl"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ServerCo getssl ACME shell script path injection"
}