Description

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.

INFO

Published Date :

2026-03-18T22:24:29.102Z

Last Modified :

2026-03-19T13:46:59.937Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32805 vulnerability.

Vendors Products
Ctfer-io
  • Romeo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32805.

URL Resource
https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263 cve-icon cve-icon
https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact