CVE-2016-10099 Borg before 1.0.9 has a flaw in the cryptographic protocol used to authenticate the manifest , potentially allowing an attacker to spoof the list of archives.