Description
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
Published: 2026-06-16
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In ServerCo getssl versions prior to 2.50, ACME challenge tokens were not validated against RFC 8555 before being used in file paths, enabling a malicious token to control the local file name or path. This flaw permits an attacker who can supply or modify ACME challenge responses—such as a compromised CA endpoint or an on‑path adversary—to write arbitrary files or follow directory traversal, often with elevated privileges, ultimately leading to remote command execution on the host.

Affected Systems

The affected product is ServerCo getssl, a shell script used for automated TLS certificate acquisition. The vulnerability exists in version 2.49 and earlier; version 2.50 and later contain the fix. Thus any environments running getssl 2.49 or older are susceptible.

Risk and Exploitability

The CVSS score of 7.4 indicates a fairly high severity, and the EPSS score of less than 1 % reflects a low probability of exploitation in the wild, though the risk is amplified by the remote command injection potential. The vulnerability is not currently listed in CISA's KEV catalog. Attackers need the ability to influence ACME challenge responses or intercept them on the network. Once such control is achieved, path traversal or unauthorized file creation can be performed, which, if executed with elevated privileges, grants full remote command execution potential.

Generated by OpenCVE AI on June 17, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to getssl v2.50 or later to apply the vendor‑fixed token validation.
  • If the upgrade cannot be performed immediately, configure the environment to force strict RFC 8555 validation of ACME challenge tokens before any file operations, or manually patch the script to include this validation.
  • Run getssl under a dedicated, least‑privileged user and configure the challenge file directory to be writable only by that user, limiting the impact of any remaining path traversal.

Generated by OpenCVE AI on June 17, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Serverco
Serverco getssl
Vendors & Products Serverco
Serverco getssl

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
Title ServerCo getssl ACME shell script path injection
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-06-17T15:18:11.930Z

Reserved: 2026-05-31T21:05:04.476Z

Link: CVE-2026-10303

cve-icon Vulnrichment

Updated: 2026-06-17T15:18:07.949Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:26.963

Modified: 2026-06-16T20:47:43.440

Link: CVE-2026-10303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:04Z

Weaknesses
  • CWE-73

    External Control of File Name or Path