Vulnerability Reports - Go Packages

GO-2026-4603 standard library CVE-2026-27142 Affects: html/template Published: Mar 06, 2026 Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Sat, 07 Mar 2026 00:46:54 -0500

CVE-2026-23999, GHSA-ppwx-5jq7-px2w, github.com/fleetdm/fleet/v4, Published: Feb 27, 2026, Unreviewed, Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4563

Wed, 04 Mar 2026 23:05:06 -0500

CVE-2026-24004, GHSA-9pm7-6g36-6j78, github.com/fleetdm/fleet/v4, Published: Feb 27, 2026, Unreviewed, Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4562

Wed, 04 Mar 2026 23:05:00 -0500

CVE-2026-27900, GHSA-5rc7-2jj6-mp64, github.com/linode/terraform-provider-linode, github.com/linode/terraform-provider-linode/v2, and 1 more, Published: Feb 27, 2026, Unreviewed, Terraform Provider for Linode Debug Logs Vulnerable to Sensitive Information Exposure in github.com/linode/terraform-provider-linode

_{-- Delivered by RssEverything service}

GO-2026-4561

Wed, 04 Mar 2026 23:04:54 -0500

CVE-2026-25963, GHSA-5jvp-m9h4-253h, github.com/fleetdm/fleet/v4, Published: Feb 27, 2026, Unreviewed, Fleet: Authorization Bypass in certificate template batch deletion for team administrators in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4560

Wed, 04 Mar 2026 23:04:45 -0500

CVE-2026-27465, GHSA-2v6m-6xw3-6467, github.com/fleetdm/fleet/v4, Published: Feb 27, 2026, Unreviewed, Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4559

Thu, 26 Feb 2026 16:47:31 -0500

CVE-2026-27141, golang.org/x/net, Published: Feb 26, 2026

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

GO-2026-4558

CVE-2026-27808, GHSA-mpf7-p9x7-96r3
Affects: github.com/axllent/mailpit
Published: Feb 27, 2026, Unreviewed, Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API in github.com/axllent/mailpit

_{-- Delivered by RssEverything service}

GO-2026-4557

Wed, 04 Mar 2026 23:04:38 -0500

CVE-2026-26186, GHSA-49xw-vfc4-7p43, github.com/fleetdm/fleet/v4, Published: Feb 27, 2026, Unreviewed, Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4556

Wed, 04 Mar 2026 23:04:33 -0500

CVE-2026-27819, GHSA-42wg-38gx-85rh, code.vikunja.io/api, Published: Feb 27, 2026, Unreviewed, Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4554

Wed, 04 Mar 2026 23:04:26 -0500

CVE-2026-27730, GHSA-p2v6-84h2-5x4r, github.com/esm-dev/esm.sh, Published: Feb 27, 2026, Unreviewed, esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh

_{-- Delivered by RssEverything service}

GO-2026-4553

Wed, 04 Mar 2026 23:04:19 -0500

CVE-2026-27616, GHSA-7jp5-298q-jg98, code.vikunja.io/api, Published: Feb 27, 2026, Unreviewed, Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4552

Wed, 04 Mar 2026 23:04:14 -0500

CVE-2026-27116, GHSA-4qgr-4h56-8895, code.vikunja.io/api, Published: Feb 27, 2026, Unreviewed, Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4551

Wed, 04 Mar 2026 23:04:12 -0500

CVE-2026-27575, GHSA-3ccg-x393-96v8, code.vikunja.io/api, Published: Feb 27, 2026, Unreviewed, Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4550

Wed, 04 Mar 2026 23:04:07 -0500

CVE-2026-1229, GHSA-q9hv-hpm4-hj6x, github.com/cloudflare/circl, Published: Feb 27, 2026, Unreviewed, CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl

_{-- Delivered by RssEverything service}

GO-2026-4549

Wed, 04 Mar 2026 23:04:01 -0500

CVE-2026-24005, GHSA-9fj4-3849-rv9g, github.com/openkruise/kruise, Published: Feb 27, 2026, Unreviewed, OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field in github.com/openkruise/kruise

_{-- Delivered by RssEverything service}

GO-2026-4548

Wed, 04 Mar 2026 23:03:55 -0500

GHSA-2phg-qgmm-r638, github.com/bishopfox/sliver, Published: Feb 25, 2026, Unreviewed, Sliver has Potential Zip Bomb Denial of Service in GzipEncoder in github.com/bishopfox/sliver

_{-- Delivered by RssEverything service}

GO-2026-4547

Thu, 26 Feb 2026 02:38:42 -0500

CVE-2026-27626, GHSA-49gm-hh7w-wfvf, github.com/OliveTin/OliveTin, Published: Feb 25, 2026, Unreviewed, OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks in github.com/OliveTin/OliveTin

_{-- Delivered by RssEverything service}

GO-2026-4546

Thu, 26 Feb 2026 02:38:39 -0500

CVE-2026-27611, GHSA-8vrh-3pm2-v4v6, github.com/gtsteffaniak/filebrowser/backend, Published: Feb 25, 2026, Unreviewed, FileBrowser Quantum: Password Protection Not Enforced on Shared File Links in github.com/gtsteffaniak/filebrowser/backend

_{-- Delivered by RssEverything service}

GO-2026-4545

Thu, 26 Feb 2026 02:38:34 -0500

CVE-2025-50180, GHSA-3c9r-837r-qqm4, github.com/esm-dev/esm.sh, Published: Feb 25, 2026, Unreviewed, esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh

_{-- Delivered by RssEverything service}

GO-2026-4543

Thu, 26 Feb 2026 16:47:28 -0500

CVE-2026-25882, GHSA-mrq8-rjmw-wpq3, github.com/gofiber/fiber/v2, github.com/gofiber/fiber/v3, Published: Feb 26, 2026

Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber

GO-2026-4542

CVE-2026-27598, GHSA-6v48-fcq6-ff23
Affects: github.com/dagu-org/dagu
Published: Feb 25, 2026, Unreviewed, Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory in github.com/dagu-org/dagu

_{-- Delivered by RssEverything service}

GO-2026-4541

Thu, 26 Feb 2026 16:47:18 -0500

CVE-2026-27588, GHSA-x76f-jf84-rqj8, github.com/caddyserver/caddy/v2, Published: Feb 26, 2026

Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2

GO-2026-4540

CVE-2026-25891, GHSA-m3c2-496v-cw3v
Affects: github.com/gofiber/fiber/v3
Published: Feb 26, 2026

Fiber has an Arbitrary File Read in Static Middleware on Windows in github.com/gofiber/fiber/v3

GO-2026-4539

CVE-2026-27586, GHSA-hffm-g8v7-wrv7
Affects: github.com/caddyserver/caddy/v2
Published: Feb 26, 2026

Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v2

GO-2026-4538

CVE-2026-27587, GHSA-g7pc-pc7g-h8jh
Affects: github.com/caddyserver/caddy/v2
Published: Feb 26, 2026

Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2

GO-2026-4537

CVE-2026-27589, GHSA-879p-475x-rqh2
Affects: github.com/caddyserver/caddy/v2
Published: Feb 26, 2026

Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v2

GO-2026-4536

CVE-2026-27590, GHSA-5r3v-vc8m-m96g
Affects: github.com/caddyserver/caddy/v2
Published: Feb 26, 2026

Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v2

GO-2026-4535

CVE-2026-27585, GHSA-4xrr-hq4w-6vf4
Affects: github.com/caddyserver/caddy/v2
Published: Feb 26, 2026

Improper sanitization of glob characters in github.com/caddyserver/caddy/v2

GO-2026-4534

CVE-2026-25899, GHSA-2mr3-m5q5-wgp6
Affects: github.com/gofiber/fiber/v3
Published: Feb 26, 2026

Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation in github.com/gofiber/fiber/v3

GO-2026-4533

CVE-2026-27571, GHSA-qrvq-68c2-7grw
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
Published: Feb 25, 2026, Unreviewed, nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4532

Thu, 26 Feb 2026 02:38:12 -0500

CVE-2026-25802, GHSA-299v-8pq9-5gjq, github.com/QuantumNous/new-api, Published: Feb 25, 2026, Unreviewed, New API has Potential XSS in its MarkdownRenderer component in github.com/QuantumNous/new-api

_{-- Delivered by RssEverything service}

GO-2026-4531

Thu, 26 Feb 2026 02:38:06 -0500

CVE-2026-25591, GHSA-w6x6-9fp7-fqm4, github.com/QuantumNous/new-api, Published: Feb 25, 2026, Unreviewed, New API has an SQL LIKE Wildcard Injection DoS via Token Search in github.com/QuantumNous/new-api

_{-- Delivered by RssEverything service}

GO-2026-4530

Mon, 23 Feb 2026 19:37:28 -0500

GHSA-gv8r-9rw9-9697, github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more, Published: Feb 23, 2026, Unreviewed, Traefik affected by TLS ClientAuth Bypass on HTTP/3 in github.com/traefik/traefik

_{-- Delivered by RssEverything service}

GO-2026-4529

Mon, 23 Feb 2026 19:37:24 -0500

CVE-2026-24122, GHSA-wfqv-66vq-46rm, github.com/sigstore/cosign, github.com/sigstore/cosign/v2, and 1 more, Published: Feb 23, 2026, Unreviewed, Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign

_{-- Delivered by RssEverything service}

GO-2026-4528

Mon, 23 Feb 2026 19:37:21 -0500

GHSA-j9wf-6r2x-hqmx, github.com/centrifugal/centrifugo, github.com/centrifugal/centrifugo/v3, and 3 more, Published: Feb 23, 2026, Unreviewed, Centrifugo v6.6.0 dependency vulnerabilities in github.com/centrifugal/centrifugo

_{-- Delivered by RssEverything service}

GO-2026-4527

Mon, 23 Feb 2026 19:37:12 -0500

GHSA-6qr9-g2xw-cw92, github.com/dagu-org/dagu, Published: Feb 23, 2026, Unreviewed, Dagu affected by unauthenticated RCE via inline DAG spec in default configuration in github.com/dagu-org/dagu

_{-- Delivered by RssEverything service}

GO-2026-4525

Mon, 23 Feb 2026 19:37:06 -0500

CVE-2026-0998, GHSA-w65c-fvp5-fvc5, github.com/mattermost/mattermost-plugin-zoom, Published: Feb 23, 2026, Unreviewed, Mattermost Plugin Zoom fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint in github.com/mattermost/mattermost-plugin-zoom

_{-- Delivered by RssEverything service}

GO-2026-4524

Mon, 23 Feb 2026 19:37:03 -0500

CVE-2025-13821, GHSA-pp9j-pf5c-659x, github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server, and 5 more, Published: Feb 23, 2026, Unreviewed, Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251210191531-cd17b61de41b.

_{-- Delivered by RssEverything service}

GO-2026-4523

Mon, 23 Feb 2026 19:36:53 -0500

CVE-2025-14573, GHSA-cgjg-p2m2-qm4p, github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server, and 5 more, Published: Feb 23, 2026, Unreviewed, Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251215190648-6404ab29acc0.

_{-- Delivered by RssEverything service}

GO-2026-4522

Mon, 23 Feb 2026 19:36:49 -0500

CVE-2026-26963, GHSA-5r23-prx4-mqg3, github.com/cilium/cilium, Published: Feb 23, 2026, Unreviewed, Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled in github.com/cilium/cilium

_{-- Delivered by RssEverything service}

GO-2026-4521

Mon, 23 Feb 2026 19:36:42 -0500

CVE-2025-14350, GHSA-57cc-2pf4-mhmx, github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server, and 5 more, Published: Feb 23, 2026, Unreviewed, Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251209134645-761e56bb11cc.

_{-- Delivered by RssEverything service}

GO-2026-4520

Mon, 23 Feb 2026 19:36:38 -0500

CVE-2026-0999, GHSA-3c9r-7f29-qp32, github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server, and 5 more, Published: Feb 23, 2026, Unreviewed, Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251212052346-61651b0df7ea.

_{-- Delivered by RssEverything service}

GO-2026-4519

Mon, 23 Feb 2026 19:36:27 -0500

CVE-2026-0997, GHSA-2phx-frhf-xr55, github.com/mattermost/mattermost-plugin-zoom, Published: Feb 23, 2026, Unreviewed, Mattermost Plugin Zoom allows any logged-in user to change Zoom meeting restrictions for arbitrary channels in github.com/mattermost/mattermost-plugin-zoom

_{-- Delivered by RssEverything service}

GO-2026-4517

Mon, 23 Feb 2026 19:36:22 -0500

CVE-2026-24834, GHSA-wwj6-vghv-5p64, github.com/kata-containers/kata-containers/src/runtime, Published: Feb 23, 2026, Unreviewed, Kata Container to Guest micro VM privilege escalation in github.com/kata-containers/kata-containers/src/runtime

_{-- Delivered by RssEverything service}

GO-2026-4516

Mon, 23 Feb 2026 19:36:17 -0500

CVE-2026-27112, GHSA-7g9x-cp9g-92mr, github.com/akuity/kargo, Published: Feb 23, 2026, Unreviewed, Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints in github.com/akuity/kargo

_{-- Delivered by RssEverything service}

GO-2026-4515

Mon, 23 Feb 2026 19:36:11 -0500

CVE-2026-27111, GHSA-5vvm-67pj-72g4, github.com/akuity/kargo, Published: Feb 23, 2026, Unreviewed, Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo

_{-- Delivered by RssEverything service}

GO-2026-4512

Wed, 25 Feb 2026 00:59:44 -0500

CVE-2026-26995, GHSA-rrxv-pmq9-x67r, github.com/refraction-networking/utls, Published: Feb 24, 2026

Fingerprint vulnerability in uTLS from missing padding extension for Chrome 120 in github.com/refraction-networking/utls

GO-2026-4511

CVE-2026-26315, GHSA-m6j8-rg6r-7mv8
Affects: github.com/ethereum/go-ethereum
Published: Feb 24, 2026

Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum

GO-2026-4509

CVE-2026-27017, GHSA-7m29-f4hw-g2vx
Affects: github.com/refraction-networking/utls
Published: Feb 24, 2026

Fingerprint vulnerability in uTLS from GREASE ECH mismatch for Chrome parrots in github.com/refraction-networking/utls

GO-2026-4508

CVE-2026-26313, GHSA-689v-6xwf-5jf3
Affects: github.com/ethereum/go-ethereum
Published: Feb 24, 2026

Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum

GO-2026-4507

CVE-2026-26314, GHSA-2gjw-fg97-vg3r
Affects: github.com/ethereum/go-ethereum
Published: Feb 24, 2026

Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum

GO-2026-4506

CVE-2026-26205, GHSA-9f29-v6mm-pw6w
Affects: github.com/open-policy-agent/opa-envoy-plugin
Published: Feb 23, 2026, Unreviewed, opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path in github.com/open-policy-agent/opa-envoy-plugin

_{-- Delivered by RssEverything service}

GO-2026-4505

Mon, 23 Feb 2026 19:35:59 -0500

CVE-2026-26957, GHSA-wgm6-9rvv-3438, github.com/abhinavxd/libredesk, Published: Feb 23, 2026, Unreviewed, Libredesk has a SSRF Vulnerability in Webhooks in github.com/abhinavxd/libredesk

_{-- Delivered by RssEverything service}

GO-2026-4504

Mon, 23 Feb 2026 19:35:57 -0500

CVE-2026-26201, GHSA-f5p9-j34q-pwcc, github.com/jm33-m0/emp3r0r/core, Published: Feb 23, 2026, Unreviewed, emp3r0r Affected by Concurrent Map Access DoS (panic/crash) in github.com/jm33-m0/emp3r0r/core

_{-- Delivered by RssEverything service}

GO-2026-4503

Thu, 19 Feb 2026 21:28:35 -0500

CVE-2026-26958, filippo.io/edwards25519, Published: Feb 17, 2026

Previously, if MultiScalarMult was invoked on an initialized point who was not the identity point, MultiScalarMult produced an incorrect result. If called on an uninitialized point, MultiScalarMult exhibited undefined behavior.

GO-2026-4502

CVE-2026-25766, GHSA-pgvm-wxw2-hrv9
Affects: github.com/labstack/echo/v5
Published: Feb 26, 2026

Echo has a Windows path traversal via backslash in middleware.Static default filesystem in github.com/labstack/echo/v5

GO-2026-4501

CVE-2026-25120, GHSA-jj5m-h57j-5gv7
Affects: gogs.io/gogs
Published: Feb 23, 2026, Unreviewed, Gogs Allows Cross-Repository Comment Deletion via DeleteComment in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.14.0.

_{-- Delivered by RssEverything service}

GO-2026-4500

Mon, 23 Feb 2026 19:35:50 -0500

CVE-2026-25242, GHSA-fc3h-92p8-h36f, gogs.io/gogs, Published: Feb 23, 2026, Unreviewed, Unauthenticated File Upload in Gogs in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.14.1.

_{-- Delivered by RssEverything service}

GO-2026-4499

Mon, 23 Feb 2026 19:35:45 -0500

CVE-2026-25229, GHSA-cv22-72px-f4gh, gogs.io/gogs, Published: Feb 23, 2026, Unreviewed, Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.14.0.

_{-- Delivered by RssEverything service}

GO-2026-4498

Mon, 23 Feb 2026 19:35:37 -0500

CVE-2026-25232, GHSA-2c6v-8r3v-gh6p, gogs.io/gogs, Published: Feb 23, 2026, Unreviewed, Gogs has a Protected Branch Deletion Bypass in Web Interface in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.14.1.

_{-- Delivered by RssEverything service}

GO-2026-4497

Mon, 23 Feb 2026 19:35:30 -0500

GHSA-hr7j-63v7-vj7g, github.com/pterodactyl/wings, Published: Feb 23, 2026, Unreviewed, Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change in github.com/pterodactyl/wings

_{-- Delivered by RssEverything service}

GO-2026-4496

Mon, 23 Feb 2026 19:35:24 -0500

CVE-2026-22892, GHSA-9pj7-jh2r-87g8, github.com/mattermost/mattermost-server, Published: Feb 23, 2026, Unreviewed, Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts in github.com/mattermost/mattermost-server

_{-- Delivered by RssEverything service}

GO-2026-4495

Mon, 23 Feb 2026 19:35:17 -0500

CVE-2026-20796, GHSA-2xf7-hmf6-p64j, github.com/mattermost/mattermost-server, Published: Feb 23, 2026, Unreviewed, Mattermost doesn't properly validate channel membership at the time of data retrieval in github.com/mattermost/mattermost-server

_{-- Delivered by RssEverything service}

GO-2026-4494

Mon, 23 Feb 2026 19:35:13 -0500

CVE-2026-26187, GHSA-699m-4v95-rmpm, github.com/treeverse/lakefs, Published: Feb 17, 2026, Unreviewed, lakeFS vulnerable to path traversal in local block adapter allow cross-namespace and sibling directory access in github.com/treeverse/lakefs

_{-- Delivered by RssEverything service}

GO-2026-4493

Thu, 19 Feb 2026 21:28:30 -0500

CVE-2026-26056, GHSA-wj8p-jj64-h7ff, github.com/yokecd/yoke, Published: Feb 17, 2026, Unreviewed, Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC in github.com/yokecd/yoke

_{-- Delivered by RssEverything service}

GO-2026-4491

Thu, 19 Feb 2026 21:28:25 -0500

CVE-2026-26055, GHSA-965m-v4cc-6334, github.com/yokecd/yoke, Published: Feb 17, 2026, Unreviewed, Unauthenticated Admission Webhook Endpoints in Yoke ATC in github.com/yokecd/yoke

_{-- Delivered by RssEverything service}

GO-2026-4490

Thu, 19 Feb 2026 21:28:19 -0500

CVE-2025-67860, GHSA-3c9m-gq32-g4jx, github.com/neuvector/scanner, Published: Feb 17, 2026, Unreviewed, NeuVector scanner insecurely handles passwords as command arguments in github.com/neuvector/scanner. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/neuvector/scanner before 4.072.

_{-- Delivered by RssEverything service}

GO-2026-4489

Thu, 19 Feb 2026 21:28:09 -0500

CVE-2026-24894, GHSA-r3xh-3r3w-47gp, github.com/dunglas/frankenphp, Published: Feb 17, 2026, Unreviewed, FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp

_{-- Delivered by RssEverything service}

GO-2026-4488

Thu, 19 Feb 2026 21:28:03 -0500

CVE-2026-21435, GHSA-px4r-g4p3-hhqv, github.com/quic-go/webtransport-go, Published: Feb 17, 2026, Unreviewed, webtransport-go: CloseWithError can block indefinitely in github.com/quic-go/webtransport-go

_{-- Delivered by RssEverything service}

GO-2026-4487

Thu, 19 Feb 2026 21:28:00 -0500

CVE-2017-18912, GHSA-m2ch-x2q7-2284, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server allows an attacker to specify a full pathname of a log file in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.7.4-0.20170404171331-0b5c0794fdcb.

_{-- Delivered by RssEverything service}

GO-2026-4486

Thu, 19 Feb 2026 21:27:56 -0500

CVE-2026-24895, GHSA-g966-83w7-6w38, github.com/dunglas/frankenphp, Published: Feb 17, 2026, Unreviewed, FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP in github.com/dunglas/frankenphp

_{-- Delivered by RssEverything service}

GO-2026-4485

Thu, 19 Feb 2026 21:27:46 -0500

CVE-2026-21434, GHSA-g6x7-jq8p-6q9q, github.com/quic-go/webtransport-go, github.com/marten-seemann/webtransport-go, Published: Feb 19, 2026, Unreviewed, webtransport-go: Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule in github.com/quic-go/webtransport-go

_{-- Delivered by RssEverything service}

GO-2026-4484

Thu, 19 Feb 2026 21:27:38 -0500

CVE-2026-25949, GHSA-89p3-4642-cr2w, github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more, Published: Feb 17, 2026, Unreviewed, Traefik: TCP readTimeout bypass via STARTTLS on Postgres in github.com/traefik/traefik

_{-- Delivered by RssEverything service}

GO-2026-4483

Thu, 19 Feb 2026 21:27:35 -0500

CVE-2026-21438, GHSA-2f2x-8mwp-p2gc, github.com/quic-go/webtransport-go, Published: Feb 17, 2026, Unreviewed, webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map in github.com/quic-go/webtransport-go

_{-- Delivered by RssEverything service}

GO-2026-4481

Thu, 19 Feb 2026 21:27:26 -0500

CVE-2026-26190, GHSA-7ppg-37fh-vcr6, github.com/milvus-io/milvus, Published: Feb 17, 2026, Unreviewed, Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise in github.com/milvus-io/milvus. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/milvus-io/milvus before v2.5.27, from v2.6.0 before v2.6.10.

_{-- Delivered by RssEverything service}

GO-2026-4480

Thu, 19 Feb 2026 21:27:25 -0500

CVE-2026-25935, GHSA-m4g2-2q66-vc9v, code.vikunja.io/api, Published: Feb 17, 2026, Unreviewed, Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4479

Thu, 19 Feb 2026 21:27:17 -0500

CVE-2026-26014, GHSA-9f3f-wv7r-qc8r, github.com/pion/dtls, github.com/pion/dtls/v2, and 1 more, Published: Feb 19, 2026

Usage of random nonce generation with AES GCM ciphers risks leaking the authentication key in github.com/pion/dtls

GO-2026-4478

CVE-2017-18909, GHSA-r6j5-fqx9-7qv9
Affects: github.com/mattermost/mattermost-server
Published: Feb 17, 2026, Unreviewed, Mattermost Server SAML implementation does not require encryption or signature verification as default in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.8.1-0.20170504181128-4f074fed0d65.

_{-- Delivered by RssEverything service}

GO-2026-4477

Thu, 19 Feb 2026 21:27:14 -0500

CVE-2017-18906, GHSA-fpcr-4rr5-hpcp, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.9.2-0.20170714134023-b17fca0d5ee7.

_{-- Delivered by RssEverything service}

GO-2026-4476

Thu, 19 Feb 2026 21:27:08 -0500

CVE-2017-18908, GHSA-34cx-hvm4-vx7j, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server password reset email requests can be sent to attacker-provided email addresses in github.com/mattermost/mattermost-server

_{-- Delivered by RssEverything service}

GO-2026-4475

Thu, 19 Feb 2026 21:26:59 -0500

CVE-2026-25889, GHSA-hxw8-4h9j-hq2r, github.com/filebrowser/filebrowser, github.com/filebrowser/filebrowser/v2, Published: Feb 17, 2026, Unreviewed, File Browser has an Authentication Bypass in User Password Update in github.com/filebrowser/filebrowser

_{-- Delivered by RssEverything service}

GO-2026-4474

Thu, 19 Feb 2026 21:26:54 -0500

CVE-2026-25890, GHSA-4mh3-h929-w968, github.com/filebrowser/filebrowser, github.com/filebrowser/filebrowser/v2, Published: Feb 17, 2026, Unreviewed, File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL in github.com/filebrowser/filebrowser

_{-- Delivered by RssEverything service}

GO-2026-4473

Thu, 19 Feb 2026 21:26:44 -0500

CVE-2026-25934, GHSA-37cx-329c-33x3, github.com/go-git/go-git, github.com/go-git/go-git/v4, and 1 more, Published: Feb 19, 2026

Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git

GO-2026-4471

CVE-2025-66630, GHSA-68rr-p4fp-j59v
Affects: github.com/gofiber/fiber, github.com/gofiber/fiber/v2
Published: Feb 19, 2026

Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure in github.com/gofiber/fiber

GO-2026-4467

CVE-2017-18916, GHSA-x33g-375j-jhf7
Affects: github.com/mattermost/mattermost-server
Published: Feb 17, 2026, Unreviewed, Mattermost Server has Improper Authorization for Integration Requests in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.6.7-0.20170420152529-0968e4079e0a.

_{-- Delivered by RssEverything service}

GO-2026-4466

Thu, 19 Feb 2026 21:26:44 -0500

CVE-2026-25791, GHSA-wxrw-gvg8-fqjp, github.com/bishopfox/sliver, Published: Feb 17, 2026, Unreviewed, Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service in github.com/bishopfox/sliver. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/bishopfox/sliver before v1.6.12.

_{-- Delivered by RssEverything service}

GO-2026-4465

Thu, 19 Feb 2026 21:26:36 -0500

GHSA-vhvq-fv9f-wh4q, github.com/authzed/spicedb, Published: Feb 17, 2026, Unreviewed, LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic in github.com/authzed/spicedb. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

_{-- Delivered by RssEverything service}

GO-2026-4464

Thu, 19 Feb 2026 21:26:32 -0500

CVE-2017-18911, GHSA-m462-mqw4-2c8m, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server has X.509 Improper Certificate Validation in github.com/mattermost/mattermost-server

_{-- Delivered by RssEverything service}

GO-2026-4463

Thu, 19 Feb 2026 21:26:26 -0500

CVE-2017-18917, GHSA-jxc4-w54c-qv5r, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.7.5-0.20170421192444-247cd1e51a8c.

_{-- Delivered by RssEverything service}

GO-2026-4462

Thu, 19 Feb 2026 21:26:20 -0500

CVE-2017-18915, GHSA-hxxj-8phw-74vw, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server server restarts may provide attackers with API access in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.6.7-0.20170420152529-0968e4079e0a.

_{-- Delivered by RssEverything service}

GO-2026-4461

Thu, 19 Feb 2026 21:26:11 -0500

CVE-2026-25804, GHSA-86x4-wp9f-wrr9, antrea.io/antrea, Published: Feb 17, 2026, Unreviewed, Antrea has invalid enforcement order for network policy rules caused by integer overflow in antrea.io/antrea. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: antrea.io/antrea before v2.3.2, from v2.4.0 before v2.4.3.

_{-- Delivered by RssEverything service}

GO-2026-4460

Thu, 19 Feb 2026 21:26:03 -0500

CVE-2017-18918, GHSA-5ghq-28r7-qwfj, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server does not restrict SAML certificate path for System Administrators in github.com/mattermost/mattermost-server

_{-- Delivered by RssEverything service}

GO-2026-4459

Thu, 19 Feb 2026 21:25:59 -0500

CVE-2017-18907, GHSA-42x9-rr3c-gr59, github.com/mattermost/mattermost-server, Published: Feb 17, 2026, Unreviewed, Mattermost Server vulnerable to XSS through channel headers in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.9.2-0.20170714014920-312269ad0bd1.

_{-- Delivered by RssEverything service}

GO-2026-4458

Thu, 19 Feb 2026 21:25:54 -0500

CVE-2026-25793, GHSA-69x3-g4r3-p962, github.com/slackhq/nebula, Published: Feb 17, 2026, Unreviewed, Blocklist Bypass possible via ECDSA Signature Malleability in github.com/slackhq/nebula

_{-- Delivered by RssEverything service}

GO-2026-4457

Thu, 19 Feb 2026 21:25:44 -0500

CVE-2025-65852, GHSA-rjv5-9px2-fqw6, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs has authorization bypass in repository deletion API in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4456

Thu, 19 Feb 2026 21:25:39 -0500

CVE-2025-13523, GHSA-ffx7-34p2-vm3w, github.com/mattermost/mattermost-plugin-confluence, Published: Feb 17, 2026, Unreviewed, Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering in github.com/mattermost/mattermost-plugin-confluence

_{-- Delivered by RssEverything service}

GO-2026-4455

Thu, 19 Feb 2026 21:25:33 -0500

CVE-2025-70963, GHSA-9f8m-9547-2gqm, github.com/gophish/gophish, Published: Feb 17, 2026, Unreviewed, Gophish is vulnerable to Incorrect Access Control in github.com/gophish/gophish

_{-- Delivered by RssEverything service}

GO-2026-4454

Thu, 19 Feb 2026 21:25:30 -0500

GHSA-26gq-grmh-6xm6, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs vulnerable to Stored XSS via Mermaid diagrams in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4453

Thu, 19 Feb 2026 21:25:26 -0500

CVE-2026-23633, GHSA-mrph-w4hh-gx3g, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs has arbitrary file read/write via Path Traversal in Git hook editing in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4452

Thu, 19 Feb 2026 21:25:16 -0500

CVE-2026-24135, GHSA-jp7c-wj6q-3qf2, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4451

Thu, 19 Feb 2026 21:25:13 -0500

CVE-2026-22592, GHSA-cr88-6mqm-4g57, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs has a Denial of Service issue in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4450

Thu, 19 Feb 2026 21:25:08 -0500

CVE-2026-23632, GHSA-5qhx-gwfj-6jqr, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs user can update repository content with read-only permission in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4449

Thu, 19 Feb 2026 21:24:58 -0500

CVE-2025-64175, GHSA-p6x6-9mx6-26wj, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4448

Thu, 19 Feb 2026 21:24:55 -0500

CVE-2025-64111, GHSA-gg64-xxr9-qhjp, gogs.io/gogs, Published: Feb 17, 2026, Unreviewed, Gogs's update .git/config file allows remote command execution in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.13.4.

_{-- Delivered by RssEverything service}

GO-2026-4447

Thu, 19 Feb 2026 21:24:45 -0500

GHSA-vf5j-r2hw-2hrw, github.com/opencloud-eu/opencloud, Published: Feb 17, 2026, Unreviewed, OpenCloud Affected by Public Link Exploit in github.com/opencloud-eu/opencloud. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/opencloud-eu/opencloud from v4.0.0 before v4.0.3, from v5.0.0 before v5.0.2.

_{-- Delivered by RssEverything service}

GO-2026-4446

Thu, 19 Feb 2026 21:24:44 -0500

CVE-2026-24851, GHSA-jq9f-gm9w-rwm9, github.com/openfga/openfga, Published: Feb 17, 2026, Unreviewed, OpenFGA Improper Policy Enforcement in github.com/openfga/openfga

_{-- Delivered by RssEverything service}

GO-2026-4445

Thu, 19 Feb 2026 21:24:34 -0500

CVE-2026-25760, GHSA-2286-hxv5-cmp2, github.com/bishopfox/sliver, Published: Feb 17, 2026, Unreviewed, Sliver Vulnerable to Website Path Traversal / Arbitrary File Read (Authenticated) in github.com/bishopfox/sliver

_{-- Delivered by RssEverything service}

GO-2026-4444

Thu, 19 Feb 2026 21:24:26 -0500

CVE-2026-23989, GHSA-9j2f-3rj3-wgpg, github.com/opencloud-eu/reva, github.com/opencloud-eu/reva/v2, Published: Feb 17, 2026, Unreviewed, OpenCloud Reva has a Public Link Exploit in github.com/opencloud-eu/reva

_{-- Delivered by RssEverything service}

GO-2026-4442

Thu, 19 Feb 2026 21:24:23 -0500

GHSA-x9p2-77v6-6vhf, github.com/dunglas/frankenphp, Published: Feb 17, 2026, Unreviewed, FrankenPHP has delayed propagation of security fixes in upstream base images in github.com/dunglas/frankenphp. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/dunglas/frankenphp before v1.1.11.

_{-- Delivered by RssEverything service}

GO-2026-4441

Thu, 05 Feb 2026 14:24:25 -0500

CVE-2025-58190, golang.org/x/net, Published: Feb 05, 2026

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

GO-2026-4440

CVE-2025-47911
Affects: golang.org/x/net
Published: Feb 05, 2026

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

GO-2026-4436

CVE-2023-43637, GHSA-g7vp-j25f-h34p
Affects: github.com/lf-edge/eve
Published: Feb 17, 2026, Unreviewed, EVE Has Partially Predetermined Vault Key in github.com/lf-edge/eve

_{-- Delivered by RssEverything service}

GO-2026-4435

Thu, 19 Feb 2026 21:24:14 -0500

CVE-2023-43636, GHSA-5h7v-g49c-h887, github.com/lf-edge/eve, Published: Feb 17, 2026, Unreviewed, EVE Doesn't Protect Rootfs in github.com/lf-edge/eve

_{-- Delivered by RssEverything service}

GO-2026-4434

Thu, 19 Feb 2026 21:24:09 -0500

CVE-2023-43635, GHSA-4jvr-vj2c-8q37, github.com/lf-edge/eve, Published: Feb 17, 2026, Unreviewed, EVE Seals Vault Key With SHA1 PCRs in github.com/lf-edge/eve

_{-- Delivered by RssEverything service}

GO-2026-4433 standard library CVE-2025-61732 Affects: cmd/cgo Published: Feb 05, 2026 A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. GO-2026-4432

Thu, 19 Feb 2026 21:24:07 -0500

CVE-2023-43634, GHSA-wc42-fcjp-v8vq, github.com/lf-edge/eve, Published: Feb 05, 2026, Unreviewed, EVE Doesn't Protect Config Partition with Measured Boot in github.com/lf-edge/eve

_{-- Delivered by RssEverything service}

GO-2026-4430

Thu, 05 Feb 2026 02:33:51 -0500

CVE-2023-43630, GHSA-phcg-h58r-gmcq, github.com/lf-edge/eve, Published: Feb 05, 2026, Unreviewed, EVE Doesn't Measure Config Partition From 2 Fronts in github.com/lf-edge/eve

_{-- Delivered by RssEverything service}

GO-2026-4428

Thu, 05 Feb 2026 02:33:45 -0500

CVE-2023-43633, GHSA-4c4v-42hc-72p6, github.com/lf-edge/eve, Published: Feb 05, 2026, Unreviewed, EVE's Debug Functions Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve

_{-- Delivered by RssEverything service}

GO-2026-4426

Thu, 05 Feb 2026 02:33:39 -0500

CVE-2026-24512, GHSA-jx8c-56mg-h6vp, k8s.io/ingress-nginx, Published: Feb 05, 2026, Unreviewed, ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx in k8s.io/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: k8s.io/ingress-nginx before v1.13.7, from v1.14.0 before v1.14.3.

_{-- Delivered by RssEverything service}

GO-2026-4425

Thu, 05 Feb 2026 02:33:33 -0500

CVE-2025-62878, GHSA-jr3w-9vfr-c746, github.com/rancher/local-path-provisioner, Published: Feb 05, 2026, Unreviewed, Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern in github.com/rancher/local-path-provisioner

_{-- Delivered by RssEverything service}

GO-2026-4423

Thu, 05 Feb 2026 02:33:28 -0500

CVE-2026-1580, GHSA-9h3p-52vh-959w, k8s.io/ingress-nginx, Published: Feb 05, 2026, Unreviewed, ingress-nginx's `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx in k8s.io/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: k8s.io/ingress-nginx before v1.13.7, from v1.14.0 before v1.14.3.

_{-- Delivered by RssEverything service}

GO-2026-4422

Thu, 05 Feb 2026 02:33:22 -0500

CVE-2023-43632, GHSA-6jp5-grgh-jw42, github.com/lf-edge/eve, Published: Feb 05, 2026, Unreviewed, EVE Freely Allocates Buffer on The Stack With Data From Socket in github.com/lf-edge/eve

_{-- Delivered by RssEverything service}

GO-2026-4421

Thu, 05 Feb 2026 02:33:11 -0500

CVE-2026-24735, GHSA-5w5r-8xc6-2xhw, github.com/apache/answer, Published: Feb 05, 2026, Unreviewed, Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability in github.com/apache/answer. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/apache/answer before v2.0.0.

_{-- Delivered by RssEverything service}