RHEL 8 / 9 : OpenShift Container Platform 4.18.33 (RHSA-2026:2071)

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:2071 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private clo...

OPENSUSE-SU-2026:10164-1 go1.25-1.25.7-1.1 on GA media

These are all security issues fixed in the go1.25-1.25.7-1.1 package on the GA media of openSUSE Tumbleweed...

BIT-GOLANG-2025-22873 Improper access to parent directory of root in os

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open"../" would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained with...

CVE-2025-58190

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content...

GO-2026-4425 Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern in github.com/rancher/local-path-provisioner

Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern in github.com/rancher/local-path-provisioner...

BIT-GOLANG-2025-61726 Memory exhaustion in query parameter parsing in net/url

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...

EUVD-2026-4740

gmrtd is a Go library for reading Machine Readable Travel Documents MRTDs. Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well...

mapstructure security vulnerability

MapStructure is a Go language library developed by Viper. There is a security vulnerability in MapStructure. This vulnerability arises from the use of MapStructure.WeakDecode; errors during this process may lead to sensitive input values being leaked, potentially causing information leaks...

CVE-2026-24137

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client pkg/tuf/client.go supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from...

GO-2026-4308 Shiori is vulnerable to authentication bypass via a brute force attack in github.com/go-shiori/shiori

Shiori is vulnerable to authentication bypass via a brute force attack in github.com/go-shiori/shiori...

GO-2026-4290 Soft Serve is missing an authorization check in LFS lock deletion in github.com/charmbracelet/soft-serve

Soft Serve is missing an authorization check in LFS lock deletion in github.com/charmbracelet/soft-serve...

CVE-2025-1243

The Temporal api-go library prior to version 1.44.1 did not send update response information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the update response field not having Data...

CVE-2025-1386

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream...

GO-2025-4250 Amazon S3 Encryption Client has a Key Commitment Issue in github.com/aws/amazon-s3-encryption-client-go

Amazon S3 Encryption Client has a Key Commitment Issue in github.com/aws/amazon-s3-encryption-client-go...

CLSA-2025-1766233299 go-rpm-macros: Fix of CVE-2025-47906

CVE-2025-47906: fix unexpected paths returned from LookPath in os/exec...

CVE-2025-64702 quic-go HTTP/3 QPACK Header Expansion DoS

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

SMTP Command-smuggling

github.com/wneessen/go-mail is vulnerable to SMTP command-smuggling. The vulnerability is due to incorrect handling of mail.Address values when constructing the MAIL FROM and RCPT TO SMTP commands, which allows an attacker to smuggle extra ESMTP parameters or manipulate recipient routing by...

Denial of Service (DoS)

Overview github.com/dvsekhvalnov/jose2go is a Pure Golang GO library for generating, decoding and encrypting JSON Web Tokens. Zero dependency, relies only on standard library. Affected versions of this package are vulnerable to Denial of Service DoS via the processing of crafted JSON Web Encrypti...

CVE-2025-64346 archives: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

archives is a Go library for extracting archives tar, zip, etc.. Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the...

EUVD-2015-5687

Malware in sbrugna...