CVE-2026-10303
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in ServerCo getssl

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-17
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-10303
EUVD
EUVD-2026-37201
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
serverco getssl to 2.50 (exc)
serverco getssl to 2.49 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10303 is a vulnerability in ServerCo's getssl ACME shell script version 2.49 and earlier. The issue arises because the ACME challenge token returned to the client is not strictly validated against RFC 8555 before being used in challenge-file handling.

This improper validation allows a maliciously crafted token to manipulate local file paths or filenames during validation, which can lead to unauthorized file writes or path traversal.

An attacker who can supply or tamper with ACME challenge responses (for example, a malicious or compromised CA endpoint, or an on-path adversary) could exploit this vulnerability to achieve remote command injection, often with elevated privileges.

This vulnerability is related to CWE-73, "External control of file name or path," and is similar in spirit to CVE-2023-38198.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized file writes and path traversal on the affected system.

Exploitation can lead to remote command injection, which means an attacker could execute arbitrary commands on the server running getssl, often with elevated privileges.

Such unauthorized access and command execution could compromise the integrity and security of the system, potentially leading to data breaches, system takeover, or further attacks within the network.

Detection Guidance

Detection of CVE-2026-10303 involves monitoring for unusual or unauthorized ACME challenge tokens being processed by getssl version 2.49 or earlier. Since the vulnerability allows crafted tokens to manipulate local file paths and potentially execute remote commands, inspecting logs for unexpected file writes or path traversal attempts related to ACME challenge handling is important.

Specific commands to detect exploitation attempts are not explicitly provided in the resources. However, general approaches include:

  • Checking the version of getssl installed to confirm if it is vulnerable (version 2.49 or earlier).
  • Reviewing system and application logs for suspicious file creation or modification events in directories used by getssl for ACME challenges.
  • Using file integrity monitoring tools to detect unexpected changes in files related to ACME challenge handling.
  • Monitoring network traffic for unusual ACME challenge responses or tampering attempts, especially from untrusted or unexpected sources.
Mitigation Strategies

The primary immediate mitigation step is to upgrade getssl to version 2.50 or later, where the vulnerability has been fixed by implementing strict RFC 8555 validation of ACME challenge tokens.

Additional mitigation steps include:

  • Restricting network access to trusted Certificate Authority endpoints to prevent malicious or tampered ACME challenge responses.
  • Implementing monitoring and alerting for suspicious file writes or path traversal attempts related to ACME challenge handling.
  • Reviewing and hardening the environment where getssl runs to limit the impact of potential exploitation, such as running with least privilege.
Compliance Impact

The provided context and resources do not explicitly discuss the impact of CVE-2026-10303 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10303. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart