Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10281

github.com/axllent/ghru/v2 is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Mar 3, 2026

62

Medium Risk

This Affects:

GOgithub.com/axllent/ghru/v2
2.0.0 - 2.0.2
Fixed in 2.1.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to a path traversal in the archive extraction functionality. Specifically, archive entries containing crafted file paths (such as paths resolving outside the intended directory) could be extracted in a way that escapes the target directory, potentially overwriting or creating files in arbitrary locations. This behavior can be exploited by an attacker supplying a malicious archive to write or overwrite sensitive files on the host filesystem.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

github.com/axllent/ghru/v2 is vulnerable to Path Traversal in versions 2.0.0 - 2.0.2.

How to fix this

Upgrade the github.com/axllent/ghru/v2 library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done