Vulnerability Reports - Go Packages

GO-2026-4986 standard library CVE-2026-39820 Affects: net/mail Published: May 07, 2026 Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. GO-2026-4984 standard library

Thu, 07 May 2026 17:01:33 -0400

CVE-2026-33812, golang.org/x/image, Published: Apr 21, 2026

Parsing a malicious font file can cause excessive memory allocation.

GO-2026-4961

CVE-2026-33813
Affects: golang.org/x/image
Published: Apr 21, 2026

Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

GO-2026-4947

standard library

CVE-2026-32280
Affects: crypto/x509
Published: Apr 07, 2026

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

GO-2026-4946

standard library

CVE-2026-32281
Affects: crypto/x509
Published: Apr 07, 2026

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

GO-2026-4924

CVE-2025-68153, GHSA-245v-p8fj-vwm2
Affects: github.com/juju/juju
Published: Apr 06, 2026, Unreviewed, Juju has a resource poisoning vulnerability in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju from v2.9 before v2.9.56, from v3.6 before v3.6.19.

_{-- Delivered by RssEverything service}

GO-2026-4920

Wed, 08 Apr 2026 12:12:42 -0400

CVE-2026-34940, GHSA-324q-cwx9-7crr, github.com/kubeai-project/kubeai, Published: Apr 06, 2026, Unreviewed, KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai

_{-- Delivered by RssEverything service}

GO-2026-4919

Wed, 01 Apr 2026 14:57:20 -0400

CVE-2026-33634, GHSA-69fq-xp46-6x23, github.com/aquasecurity/trivy, Published: Apr 01, 2026

On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release.

GO-2026-4918

standard library

CVE-2026-33814
Affects: golang.org/x/net, net/http
Published: May 07, 2026

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

GO-2026-4916

CVE-2026-26233, GHSA-247x-7qw8-fp98
Affects: github.com/mattermost/mattermost-server
Published: Apr 02, 2026, Unreviewed, Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v8.0.0-20260105080200-d27a2195068d before v8.0.0-20260217110922-b7d4a1f1f59b.

_{-- Delivered by RssEverything service}

GO-2026-4915

Thu, 02 Apr 2026 17:10:03 -0400

CVE-2026-34388, GHSA-w254-4hp5-7cvv, github.com/fleetdm/fleet/v4, Published: Apr 02, 2026, Unreviewed, Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4914

Thu, 02 Apr 2026 17:09:52 -0400

CVE-2026-34385, GHSA-v895-833r-8c45, github.com/fleetdm/fleet/v4, Published: Apr 02, 2026, Unreviewed, Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4913

Thu, 02 Apr 2026 17:09:47 -0400

CVE-2026-34386, GHSA-9p23-p2m4-2r4m, github.com/fleetdm/fleet/v4, Published: Apr 02, 2026, Unreviewed, Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4912

Thu, 02 Apr 2026 17:09:43 -0400

CVE-2026-34389, GHSA-4f9r-x588-pp2h, github.com/fleetdm/fleet/v4, Published: Apr 02, 2026, Unreviewed, Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4911

Thu, 02 Apr 2026 17:09:38 -0400

CVE-2026-33990, GHSA-x2f5-332j-9xwq, github.com/docker/model-runner, Published: Apr 02, 2026, Unreviewed, Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF) in github.com/docker/model-runner

_{-- Delivered by RssEverything service}

GO-2026-4910

Tue, 07 Apr 2026 12:25:06 -0400

CVE-2026-34165, GHSA-jhf3-xxhw-2wpp, github.com/go-git/go-git, github.com/go-git/go-git/v4, and 1 more, Published: Apr 07, 2026

Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

GO-2026-4909

CVE-2026-33762, GHSA-gm2x-2g9h-ccm8
Affects: github.com/go-git/go-git, github.com/go-git/go-git/v4, and 1 more
Published: Apr 07, 2026

Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

GO-2026-4907

CVE-2026-33027, GHSA-m8p8-53vf-8357
Affects: github.com/0xJacky/Nginx-UI
Published: Apr 02, 2026, Unreviewed, Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation in github.com/0xJacky/Nginx-UI

_{-- Delivered by RssEverything service}

GO-2026-4906

Thu, 02 Apr 2026 17:09:24 -0400

CVE-2026-33028, GHSA-m468-xcm6-fxg4, github.com/0xJacky/Nginx-UI, github.com/uozi-tech/cosy, Published: Apr 02, 2026, Unreviewed, nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI

_{-- Delivered by RssEverything service}

GO-2026-4905

Thu, 02 Apr 2026 17:09:19 -0400

CVE-2026-27018, GHSA-jjwv-57xh-xr6r, github.com/gotenberg/gotenberg/v7, github.com/gotenberg/gotenberg/v8, Published: Apr 02, 2026, Unreviewed, Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) in github.com/gotenberg/gotenberg

_{-- Delivered by RssEverything service}

GO-2026-4904

Thu, 02 Apr 2026 17:09:13 -0400

CVE-2026-33032, GHSA-h6c2-x2m2-mwhf, github.com/0xJacky/Nginx-UI, Published: Apr 02, 2026, Unreviewed, nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI

_{-- Delivered by RssEverything service}

GO-2026-4903

Thu, 02 Apr 2026 17:09:08 -0400

CVE-2026-33026, GHSA-fhh2-gg7w-gwpq, github.com/0xJacky/Nginx-UI, Published: Apr 02, 2026, Unreviewed, nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI

_{-- Delivered by RssEverything service}

GO-2026-4902

Thu, 02 Apr 2026 17:09:04 -0400

CVE-2026-33029, GHSA-cp8r-8jvw-v3qg, github.com/0xJacky/Nginx-UI, Published: Apr 02, 2026, Unreviewed, nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI

_{-- Delivered by RssEverything service}

GO-2026-4901

Thu, 02 Apr 2026 17:08:54 -0400

CVE-2026-33030, GHSA-5hf2-vhj6-gj9m, github.com/0xJacky/nginx-ui, Published: Apr 02, 2026, Unreviewed, nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui

_{-- Delivered by RssEverything service}

GO-2026-4899

Thu, 02 Apr 2026 17:08:47 -0400

GHSA-c279-989m-238f, github.com/bishopfox/sliver, Published: Apr 02, 2026, Unreviewed, Sliver: Nil Pointer Dereference in tunnelCloseHandler causes panic when a reverse tunnel (rportfwd) close is attempted in github.com/bishopfox/sliver

_{-- Delivered by RssEverything service}

GO-2026-4897

Thu, 02 Apr 2026 17:08:46 -0400

GHSA-46wh-3698-f2cx, github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more, Published: Apr 02, 2026, Unreviewed, Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) in github.com/traefik/traefik

_{-- Delivered by RssEverything service}

GO-2026-4896

Thu, 02 Apr 2026 17:08:34 -0400

CVE-2026-34204, GHSA-3rh2-v3gr-35p9, github.com/minio/minio, Published: Apr 02, 2026, Unreviewed, MinIO is Vulnerable to SSE Metadata Injection via Replication Headers in github.com/minio/minio

_{-- Delivered by RssEverything service}

GO-2026-4894

Thu, 02 Apr 2026 17:08:31 -0400

CVE-2026-32241, GHSA-vchx-5pr6-ffx2, github.com/flannel-io/flannel, Published: Apr 02, 2026, Unreviewed, Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel

_{-- Delivered by RssEverything service}

GO-2026-4893

Thu, 02 Apr 2026 17:08:25 -0400

CVE-2026-33433, GHSA-qr99-7898-vr7c, github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more, Published: Apr 02, 2026, Unreviewed, Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField in github.com/traefik/traefik

_{-- Delivered by RssEverything service}

GO-2026-4892

Thu, 02 Apr 2026 17:08:19 -0400

CVE-2026-29180, GHSA-m2h6-4xpq-qw3m, github.com/fleetdm/fleet/v4, Published: Apr 02, 2026, Unreviewed, A Fleet team maintainer can transfer hosts from any team via missing source team authorization in github.com/fleetdm/fleet

_{-- Delivered by RssEverything service}

GO-2026-4891

Thu, 02 Apr 2026 17:08:11 -0400

CVE-2026-34041, GHSA-xmgr-9pqc-h5vw, github.com/nektos/act, Published: Apr 02, 2026, Unreviewed, act: Unrestricted set-env and add-path command processing enables environment injection in github.com/nektos/act

_{-- Delivered by RssEverything service}

GO-2026-4890

Thu, 02 Apr 2026 17:08:08 -0400

CVE-2026-34042, GHSA-x34h-54cw-9825, github.com/nektos/act, Published: Apr 02, 2026, Unreviewed, act: actions/cache server allows malicious cache injection in github.com/nektos/act

_{-- Delivered by RssEverything service}

GO-2026-4889

Thu, 02 Apr 2026 17:07:59 -0400

CVE-2026-26061, GHSA-99hj-44vg-hfcp, github.com/fleetdm/fleet/v4, Published: Apr 02, 2026, Unreviewed, Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/fleetdm/fleet/v4 before v4.43.5-0.20260113202849-bbc1aef2987d.

_{-- Delivered by RssEverything service}

GO-2026-4888

Thu, 02 Apr 2026 17:07:57 -0400

CVE-2026-26060, GHSA-3458-r943-hmx4, github.com/fleetdm/fleet/v4, Published: Apr 02, 2026, Unreviewed, Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/fleetdm/fleet/v4 before v4.43.5-0.20260113202849-bbc1aef2987d.

_{-- Delivered by RssEverything service}

GO-2026-4887

Thu, 02 Apr 2026 17:07:48 -0400

CVE-2026-34040, GHSA-x744-4wpc-v9h2, github.com/docker/docker, github.com/moby/moby, and 1 more, Published: Apr 02, 2026, Unreviewed, Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker

_{-- Delivered by RssEverything service}

GO-2026-4886

Tue, 07 Apr 2026 12:25:01 -0400

CVE-2026-33743, GHSA-vg76-xmhg-j5x3, github.com/lxc/incus, github.com/lxc/incus/v6, Published: Apr 07, 2026

Incus vulnerable to denial of source through crafted bucket backup file in github.com/lxc/incus

GO-2026-4885

CVE-2026-33711, GHSA-q9vp-3wcg-8p4x
Affects: github.com/lxc/incus, github.com/lxc/incus/v6
Published: Apr 07, 2026

Incus vulnerable to local privilege escalation through VM screenshot path in github.com/lxc/incus

GO-2026-4884

CVE-2026-33945, GHSA-q4q8-7f2j-9h9f
Affects: github.com/lxc/incus, github.com/lxc/incus/v6
Published: Apr 07, 2026

Incus has an abitrary file write through its systemd-creds options in github.com/lxc/incus

GO-2026-4883

CVE-2026-33997, GHSA-pxq6-2prw-chj9
Affects: github.com/docker/docker, github.com/moby/moby, and 1 more
Published: Apr 02, 2026, Unreviewed, Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker

_{-- Delivered by RssEverything service}

GO-2026-4882

Tue, 07 Apr 2026 12:24:55 -0400

CVE-2026-33542, GHSA-p8mm-23gg-jc9r, github.com/lxc/incus, github.com/lxc/incus/v6, Published: Apr 07, 2026

Incus does not verify combined fingerprint when downloading images from simplestreams servers in github.com/lxc/incus

GO-2026-4881

CVE-2026-33897, GHSA-83xr-5xxr-mh92
Affects: github.com/lxc/incus, github.com/lxc/incus/v6
Published: Apr 07, 2026

Incus vulnerable to arbitrary file read and write through pongo templates in github.com/lxc/incus

GO-2026-4880

CVE-2026-32695, GHSA-67jx-r9pv-98rj
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Apr 02, 2026, Unreviewed, Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass in github.com/traefik/traefik

_{-- Delivered by RssEverything service}

GO-2026-4879

Tue, 07 Apr 2026 12:24:49 -0400

CVE-2026-33898, GHSA-453r-g2pg-cxxq, github.com/lxc/incus, github.com/lxc/incus/v6, Published: Apr 07, 2026

Local Incus UI web server vulnerable to nuthentication bypass in github.com/lxc/incus

GO-2026-4876

GHSA-prh4-vhfh-24mj
Affects: github.com/goharbor/harbor
Published: Apr 02, 2026, Unreviewed, Harbor: LDAP password and OIDC secret are not redacted in the audit log in github.com/goharbor/harbor

_{-- Delivered by RssEverything service}

GO-2026-4875

Thu, 02 Apr 2026 17:07:22 -0400

CVE-2026-33903, GHSA-f2f3-9cx3-wcmf, github.com/ellanetworks/core, Published: Apr 02, 2026, Unreviewed, Ella Core panics when processing a crafted NGAP LocationReport message in github.com/ellanetworks/core

_{-- Delivered by RssEverything service}

GO-2026-4874

Thu, 02 Apr 2026 17:07:20 -0400

CVE-2026-33904, GHSA-9h59-p45g-445h, github.com/ellanetworks/core, Published: Apr 02, 2026, Unreviewed, Ella Core has a Denial of Service via SCTP connection cleanup deadlock in github.com/ellanetworks/core

_{-- Delivered by RssEverything service}

GO-2026-4873

Thu, 02 Apr 2026 17:07:13 -0400

CVE-2026-33906, GHSA-87j9-m7x6-hvw2, github.com/ellanetworks/core, Published: Apr 02, 2026, Unreviewed, Ella Core has Privilege Escalation via Database Restore by NetworkManager role in github.com/ellanetworks/core

_{-- Delivered by RssEverything service}

GO-2026-4872

Thu, 02 Apr 2026 17:07:10 -0400

CVE-2026-33907, GHSA-55q8-2gwx-29pc, github.com/ellanetworks/core, Published: Apr 02, 2026, Unreviewed, Ella Core Panics during NAS Authentication Response/Failure with missing IEs in github.com/ellanetworks/core

_{-- Delivered by RssEverything service}

GO-2026-4871 standard library CVE-2026-27140 Affects: cmd/go Published: Apr 07, 2026 SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. GO-2026-4870 standard library ...

Tue, 07 Apr 2026 21:37:42 -0400

GHSA-g9ww-x58f-9g6m, github.com/edgelesssys/contrast, Published: Apr 02, 2026, Unreviewed, Contrast BadAML injection allows arbitrary code execution in github.com/edgelesssys/contrast

_{-- Delivered by RssEverything service}

GO-2026-4862

Thu, 02 Apr 2026 17:06:52 -0400

CVE-2026-33758, GHSA-cpj3-3r2f-xj59, github.com/openbao/openbao, Published: Mar 26, 2026, Unreviewed, OpenBao has Reflected XSS in its OIDC authentication error message in github.com/openbao/openbao

_{-- Delivered by RssEverything service}

GO-2026-4861

Thu, 26 Mar 2026 18:05:33 -0400

CVE-2019-8400, GHSA-7v6r-w4r6-mhch, github.com/ory/hydra, Published: Mar 26, 2026, Unreviewed, Hydra has Reflected XSS via error_hint parameter in github.com/ory/hydra. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/ory/hydra before v1.4.8.

_{-- Delivered by RssEverything service}

GO-2026-4860

Thu, 26 Mar 2026 18:05:25 -0400

CVE-2026-33757, GHSA-7q7g-x6vg-xpc3, github.com/openbao/openbao, Published: Mar 26, 2026, Unreviewed, OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao

_{-- Delivered by RssEverything service}

GO-2026-4859

Fri, 27 Mar 2026 21:45:31 -0400

CVE-2026-33748, GHSA-4vrq-3vrq-g6gg, github.com/moby/buildkit, Published: Mar 27, 2026

BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit

GO-2026-4858

CVE-2026-33747, GHSA-4c29-8rgm-jvjj
Affects: github.com/moby/buildkit
Published: Mar 27, 2026

BuildKit's Malicious frontend can cause file escape outside of storage root in github.com/moby/buildkit

GO-2026-4857

CVE-2026-33729, GHSA-h6c8-cww8-35hf
Affects: github.com/openfga/openfga
Published: Mar 26, 2026, Unreviewed, OpenFGA has an Authorization Bypass through cached keys in github.com/openfga/openfga

_{-- Delivered by RssEverything service}

GO-2026-4856

Thu, 26 Mar 2026 18:05:13 -0400

CVE-2026-33726, GHSA-hxv8-4j4r-cqgv, github.com/cilium/cilium, Published: Mar 26, 2026, Unreviewed, Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium

_{-- Delivered by RssEverything service}

GO-2026-4855

Thu, 26 Mar 2026 18:05:10 -0400

GHSA-2pv8-4c52-mf8j, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4854

Thu, 26 Mar 2026 18:05:02 -0400

CVE-2026-24516, GHSA-fh3m-562m-w4f6, github.com/digitalocean/droplet-agent, Published: Mar 26, 2026, Unreviewed, DigitalOcean Droplet Agent: Command Injection via Metadata Service Endpoint in github.com/digitalocean/droplet-agent

_{-- Delivered by RssEverything service}

GO-2026-4853

Thu, 26 Mar 2026 18:04:53 -0400

CVE-2026-33678, GHSA-jfmm-mjcp-8wq2, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4852

Thu, 26 Mar 2026 18:04:49 -0400

CVE-2026-33679, GHSA-g9xj-752q-xh63, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4851

Thu, 26 Mar 2026 18:04:41 -0400

CVE-2026-33675, GHSA-g66v-54v9-52pr, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4850

Thu, 26 Mar 2026 18:04:35 -0400

CVE-2026-33700, GHSA-f95f-77jx-fcjc, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4849

Thu, 26 Mar 2026 18:04:32 -0400

CVE-2026-33668, GHSA-94xm-jj8x-3cr4, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4848

Thu, 26 Mar 2026 18:04:24 -0400

CVE-2026-33680, GHSA-8hp8-9fhr-pfm9, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.2.

_{-- Delivered by RssEverything service}

GO-2026-4847

Thu, 26 Mar 2026 18:04:21 -0400

CVE-2026-33676, GHSA-8cmm-j6c4-rr8v, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4846

Thu, 26 Mar 2026 18:04:15 -0400

CVE-2026-33677, GHSA-7c2g-p23p-4jg3, code.vikunja.io/api, Published: Mar 26, 2026, Unreviewed, Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.

_{-- Delivered by RssEverything service}

GO-2026-4845

Thu, 26 Mar 2026 18:04:10 -0400

CVE-2026-4404, GHSA-hj7x-hmf2-hc2p, github.com/goharbor/harbor, Published: Mar 26, 2026, Unreviewed, Harbor allows the use of the default password for web UI login in github.com/goharbor/harbor

_{-- Delivered by RssEverything service}

GO-2026-4844

Thu, 26 Mar 2026 18:04:03 -0400

CVE-2026-33529, GHSA-7pq3-326h-f8q9, github.com/tobychui/zoraxy, Published: Mar 26, 2026, Unreviewed, Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy

_{-- Delivered by RssEverything service}

GO-2026-4843

Thu, 26 Mar 2026 18:03:58 -0400

CVE-2026-33670, GHSA-xmw9-6r43-x9ww, github.com/siyuan-note/siyuan/kernel, Published: Mar 26, 2026, Unreviewed, SiYuan has directory traversal within its publishing service in github.com/siyuan-note/siyuan/kernel

_{-- Delivered by RssEverything service}

GO-2026-4842

Thu, 26 Mar 2026 18:03:49 -0400

CVE-2026-33669, GHSA-34xj-66v3-6j83, github.com/siyuan-note/siyuan/kernel, Published: Mar 26, 2026, Unreviewed, SiYuan has Arbitrary Document Reading within the Publishing Service in github.com/siyuan-note/siyuan/kernel

_{-- Delivered by RssEverything service}

GO-2026-4841

Thu, 26 Mar 2026 18:03:45 -0400

CVE-2026-27889, GHSA-pq2q-rcw4-3hr6, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4838

Thu, 26 Mar 2026 18:03:38 -0400

CVE-2026-33638, GHSA-m983-7426-5hrj, github.com/lin-snow/ech0, Published: Mar 26, 2026, Unreviewed, Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint in github.com/lin-snow/ech0

_{-- Delivered by RssEverything service}

GO-2026-4837

Thu, 26 Mar 2026 18:03:33 -0400

CVE-2026-33218, GHSA-vprv-35vv-q339, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS has pre-auth server panic via leafnode handling in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4836

Thu, 26 Mar 2026 18:03:24 -0400

CVE-2026-33216, GHSA-v722-jcv5-w7mc, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS has MQTT plaintext password disclosure in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4835

Thu, 26 Mar 2026 18:03:21 -0400

CVE-2026-33223, GHSA-pwx7-fx9r-hr4h, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4834

Thu, 26 Mar 2026 18:03:12 -0400

CVE-2026-33217, GHSA-jxxm-27vp-c3m5, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS allows MQTT clients to bypass ACL checks in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4833

Thu, 26 Mar 2026 18:03:11 -0400

CVE-2026-33215, GHSA-fcjp-h8cc-6879, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS is vulnerable to MQTT hijacking via Client ID in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4832

Thu, 26 Mar 2026 18:03:00 -0400

CVE-2026-33222, GHSA-9983-vrx2-fg9c, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4831

Thu, 26 Mar 2026 18:02:56 -0400

CVE-2026-33219, GHSA-8r68-gvr4-jh7j, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS is vulnerable to pre-auth DoS through WebSockets client service in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4830

Thu, 26 Mar 2026 18:02:47 -0400

CVE-2026-33246, GHSA-55h8-8g96-x4hj, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4829

Thu, 26 Mar 2026 18:02:47 -0400

CVE-2026-29785, GHSA-52jh-2xxh-pwh6, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4828

Thu, 26 Mar 2026 18:02:37 -0400

CVE-2026-33248, GHSA-3f24-pcvm-5jqc, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4827

Thu, 26 Mar 2026 18:02:33 -0400

CVE-2026-33247, GHSA-x6g4-f6q3-fqvv, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4826

Thu, 26 Mar 2026 18:02:24 -0400

CVE-2026-33249, GHSA-8m2x-3m6q-6w8j, github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, Published: Mar 26, 2026, Unreviewed, NATS: Message tracing can be redirected to arbitrary subject in github.com/nats-io/nats-server

_{-- Delivered by RssEverything service}

GO-2026-4825

Thu, 26 Mar 2026 18:02:20 -0400

CVE-2026-33619, GHSA-xqq2-4j46-vwp7, github.com/pinchtab/pinchtab, Published: Mar 26, 2026, Unreviewed, PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl in github.com/pinchtab/pinchtab

_{-- Delivered by RssEverything service}

GO-2026-4824

Thu, 26 Mar 2026 18:02:17 -0400

CVE-2026-33622, GHSA-w5pc-m664-r62v, github.com/pinchtab/pinchtab, Published: Mar 26, 2026, Unreviewed, A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution in github.com/pinchtab/pinchtab

_{-- Delivered by RssEverything service}

GO-2026-4823

Thu, 26 Mar 2026 18:02:09 -0400

CVE-2026-33623, GHSA-p8mm-644p-phmh, github.com/pinchtab/pinchtab, Published: Mar 26, 2026, Unreviewed, PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution in github.com/pinchtab/pinchtab

_{-- Delivered by RssEverything service}

GO-2026-4822

Thu, 26 Mar 2026 18:02:00 -0400

CVE-2026-33620, GHSA-mrqc-3276-74f8, github.com/pinchtab/pinchtab, Published: Mar 26, 2026, Unreviewed, PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems in github.com/pinchtab/pinchtab

_{-- Delivered by RssEverything service}

GO-2026-4821

Thu, 26 Mar 2026 18:01:53 -0400

CVE-2026-33621, GHSA-j65m-hv65-r264, github.com/pinchtab/pinchtab, Published: Mar 26, 2026, Unreviewed, PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token in github.com/pinchtab/pinchtab

_{-- Delivered by RssEverything service}

GO-2026-4820

Thu, 26 Mar 2026 18:01:51 -0400

GHSA-7789-65hx-f26w, github.com/gtsteffaniak/filebrowser/backend, Published: Mar 26, 2026, Unreviewed, FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel in github.com/gtsteffaniak/filebrowser/backend

_{-- Delivered by RssEverything service}

GO-2026-4818

Thu, 26 Mar 2026 18:01:44 -0400

CVE-2026-33525, GHSA-gmfg-3v4q-9qr4, github.com/authelia/authelia, github.com/authelia/authelia/v4, Published: Mar 26, 2026, Unreviewed, Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting in github.com/authelia/authelia

_{-- Delivered by RssEverything service}

GO-2026-4817

Thu, 26 Mar 2026 18:01:37 -0400

CVE-2026-33528, GHSA-4753-cmc8-8j9v, github.com/yusing/godoxy, Published: Mar 26, 2026, Unreviewed, GoDoxy has a Path Traversal Vulnerability in its File API in github.com/yusing/godoxy

_{-- Delivered by RssEverything service}

GO-2026-4816

Thu, 26 Mar 2026 18:01:29 -0400

CVE-2026-3864, GHSA-2mjq-54qg-7w6j, github.com/kubernetes-csi/csi-driver-nfs, Published: Mar 26, 2026, Unreviewed, NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter in github.com/kubernetes-csi/csi-driver-nfs

_{-- Delivered by RssEverything service}

GO-2026-4815

Wed, 25 Mar 2026 17:05:25 -0400

CVE-2026-33809, GHSA-44p7-9xx4-hf2g, golang.org/x/image, Published: Mar 25, 2026

Modified: Apr 06, 2026

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

GO-2026-4814

CVE-2026-30886, GHSA-f35r-v9x5-r8mc
Affects: github.com/QuantumNous/new-api
Published: Mar 26, 2026, Unreviewed, New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check in github.com/QuantumNous/new-api

_{-- Delivered by RssEverything service}

GO-2026-4813

Thu, 26 Mar 2026 18:01:28 -0400

CVE-2026-32879, GHSA-5353-f8fq-65vc, github.com/QuantumNous/new-api, Published: Mar 26, 2026, Unreviewed, New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure in github.com/QuantumNous/new-api

_{-- Delivered by RssEverything service}

GO-2026-4812

Thu, 26 Mar 2026 18:01:23 -0400

CVE-2026-26304, GHSA-4pmx-622h-x359, github.com/mattermost/mattermost-plugin-playbooks, Published: Mar 23, 2026, Unreviewed, Mattermost fails to verify run_create permission for empty playbookId in github.com/mattermost/mattermost-plugin-playbooks

_{-- Delivered by RssEverything service}

GO-2026-4811

Mon, 23 Mar 2026 20:02:25 -0400

CVE-2026-33474, GHSA-wc83-79hj-hpmq, code.vikunja.io/api, Published: Mar 23, 2026, Unreviewed, Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api from v1.0.0-rc0 before v2.2.0.

_{-- Delivered by RssEverything service}

GO-2026-4810

Mon, 23 Mar 2026 20:02:23 -0400

CVE-2026-33495, GHSA-vhr5-ggp3-qq85, github.com/ory/oathkeeper, Published: Mar 23, 2026, Unreviewed, Ory Oathkeeper has an authentication bypass by usage of untrusted header in github.com/ory/oathkeeper

_{-- Delivered by RssEverything service}

GO-2026-4809

Mon, 23 Mar 2026 20:02:18 -0400

CVE-2026-33481, GHSA-rjcw-vg7j-m9rc, github.com/anchore/syft, Published: Mar 23, 2026, Unreviewed, Syft improper temporary file cleanup in github.com/anchore/syft

_{-- Delivered by RssEverything service}

GO-2026-4808

Tue, 07 Apr 2026 12:24:43 -0400

CVE-2026-33343, GHSA-rfx7-8w68-q57q, go.etcd.io/etcd, go.etcd.io/etcd/v3, Published: Apr 07, 2026

Nested etcd transactions bypass RBAC authorization checks in go.etcd.io/etcd

GO-2026-4807

CVE-2026-33504, GHSA-r9w3-57w2-gch2
Affects: github.com/ory/hydra, github.com/ory/hydra/v2
Published: Mar 23, 2026, Unreviewed, Ory Hydra has a SQL injection via forged pagination tokens in github.com/ory/hydra

_{-- Delivered by RssEverything service}

GO-2026-4806

Tue, 07 Apr 2026 12:24:38 -0400

CVE-2026-33413, GHSA-q8m4-xhhv-38mg, go.etcd.io/etcd, go.etcd.io/etcd/v3, Published: Apr 07, 2026

Authorization bypasses in multiple APIs in go.etcd.io/etcd

GO-2026-4805

CVE-2026-33473, GHSA-p747-qc5p-773r
Affects: code.vikunja.io/api
Published: Mar 23, 2026, Unreviewed, Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

_{-- Delivered by RssEverything service}

GO-2026-4804

Mon, 23 Mar 2026 20:02:01 -0400

CVE-2026-33494, GHSA-p224-6x5r-fjpm, github.com/ory/oathkeeper, Published: Mar 23, 2026, Unreviewed, Ory Oathkeeper has a path traversal authorization bypass in github.com/ory/oathkeeper

_{-- Delivered by RssEverything service}

GO-2026-4803

Mon, 23 Mar 2026 20:01:51 -0400

CVE-2026-33419, GHSA-jv87-32hw-hh99, github.com/minio/minio, Published: Mar 23, 2026, Unreviewed, MinIO LDAP login brute-force via user enumeration and missing rate limit in github.com/minio/minio

_{-- Delivered by RssEverything service}

GO-2026-4802

Mon, 23 Mar 2026 20:01:48 -0400

CVE-2026-33476, GHSA-hhgj-gg9h-rjp7, github.com/siyuan-note/siyuan/kernel, Published: Mar 23, 2026, Unreviewed, Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel

_{-- Delivered by RssEverything service}

GO-2026-4801

Mon, 23 Mar 2026 20:01:40 -0400

CVE-2026-33503, GHSA-hgx2-28f8-6g2r, github.com/ory/kratos, Published: Mar 23, 2026, Unreviewed, Ory Kratos has a SQL injection via forged pagination tokens in github.com/ory/kratos

_{-- Delivered by RssEverything service}

GO-2026-4800

Mon, 23 Mar 2026 20:01:32 -0400

CVE-2026-33505, GHSA-c38g-mx2c-9wf2, github.com/ory/keto, Published: Mar 23, 2026, Unreviewed, Ory Keto has a SQL injection via forged pagination tokens in github.com/ory/keto

_{-- Delivered by RssEverything service}

GO-2026-4799

Mon, 23 Mar 2026 20:01:29 -0400

CVE-2026-33496, GHSA-4mq7-pvjg-xp2r, github.com/ory/oathkeeper, Published: Mar 23, 2026, Unreviewed, Ory Oathkeeper has an authentication bypass by cache key confusion in github.com/ory/oathkeeper

_{-- Delivered by RssEverything service}

GO-2026-4798

Mon, 23 Mar 2026 20:01:19 -0400

CVE-2026-33316, GHSA-vq4q-79hh-q767, code.vikunja.io/api, Published: Mar 23, 2026, Unreviewed, Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4797

Mon, 23 Mar 2026 20:01:16 -0400

CVE-2026-33313, GHSA-mr3j-p26x-72x4, code.vikunja.io/api, Published: Mar 23, 2026, Unreviewed, Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4796

Mon, 23 Mar 2026 20:01:08 -0400

CVE-2026-4342, GHSA-f53h-mxv9-cp98, k8s.io/ingress-nginx, Published: Mar 23, 2026, Unreviewed, ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx

_{-- Delivered by RssEverything service}

GO-2026-4795

Mon, 23 Mar 2026 20:01:07 -0400

CVE-2026-33312, GHSA-564f-wx8x-878h, code.vikunja.io/api, Published: Mar 23, 2026, Unreviewed, Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api before v2.2.0.

_{-- Delivered by RssEverything service}

GO-2026-4794

Mon, 23 Mar 2026 20:00:59 -0400

CVE-2026-33315, GHSA-47cr-f226-r4pq, code.vikunja.io/api, Published: Mar 23, 2026, Unreviewed, Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

_{-- Delivered by RssEverything service}

GO-2026-4793

Mon, 23 Mar 2026 20:00:54 -0400

CVE-2026-32305, GHSA-wvvq-wgcr-9q48, github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more, Published: Mar 23, 2026, Unreviewed, Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik

_{-- Delivered by RssEverything service}

GO-2026-4792

Mon, 23 Mar 2026 20:00:43 -0400

CVE-2026-32595, GHSA-g3hg-j4jv-cwfr, github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more, Published: Mar 23, 2026, Unreviewed, Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration in github.com/traefik/traefik

_{-- Delivered by RssEverything service}

GO-2026-4791

Mon, 23 Mar 2026 20:00:40 -0400

CVE-2026-29794, GHSA-m547-hp4w-j6jx, code.vikunja.io/api, Published: Mar 23, 2026, Unreviewed, Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: code.vikunja.io/api from v0.8.0 before v2.2.0.

_{-- Delivered by RssEverything service}

GO-2026-4790

Tue, 07 Apr 2026 12:24:29 -0400

CVE-2026-26931, GHSA-5vrw-qjxw-89r5, github.com/elastic/beats, github.com/elastic/beats/v7, Published: Apr 07, 2026

Metricbeat Allocates Memory with Excessive Size Value Leading to Denial of Service in github.com/elastic/beats

GO-2026-4789

CVE-2026-26933, GHSA-27qj-9gvp-8rh9
Affects: github.com/elastic/beats, github.com/elastic/beats/v7
Published: Apr 07, 2026

Packetbeat does not properly validate an array index in multiple protocol parser components in github.com/elastic/beats

GO-2026-4788

CVE-2026-33353, GHSA-xgxp-f695-6vrp
Affects: github.com/charmbracelet/soft-serve
Published: Mar 23, 2026, Unreviewed, In Soft Serve, an authenticated repo import can clone server-local private repositories in github.com/charmbracelet/soft-serve

_{-- Delivered by RssEverything service}

GO-2026-4786

Mon, 23 Mar 2026 20:00:26 -0400

CVE-2026-22545, GHSA-rv67-7w2g-7976, github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more, Published: Mar 23, 2026, Unreviewed, Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127144908-ced9a56e3988.

_{-- Delivered by RssEverything service}