GO-2026-4738 File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser

File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser...

GO-2026-4886 Incus vulnerable to denial of source through crafted bucket backup file in github.com/lxc/incus

Incus vulnerable to denial of source through crafted bucket backup file in github.com/lxc/incus...

GO-2026-4903 nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI

nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI...

GO-2026-4844 Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy...

GO-2026-4832 NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server

NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server...

GO-2026-4829 NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server

NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server...

GO-2026-4813 New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure in github.com/QuantumNous/new-api

New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure in github.com/QuantumNous/new-api...

GO-2026-4827 NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server

NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server...

GO-2026-4826 NATS: Message tracing can be redirected to arbitrary subject in github.com/nats-io/nats-server

NATS: Message tracing can be redirected to arbitrary subject in github.com/nats-io/nats-server...

GO-2026-4708 SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan

SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan...

GO-2026-4701 github.com/ctfer-io/monitoring Vulnerable to Improper Access Control

github.com/ctfer-io/monitoring Vulnerable to Improper Access Control...

GO-2026-4796 ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx

ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx...

GO-2026-4794 Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api...

GO-2026-4758 free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request in github.com/free5gc/udm

free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request in github.com/free5gc/udm...

GO-2026-4567 Vitess users can gain unauthorized access to production deployment environments in vitess.io/vitess

Vitess users with backup storage access can gain unauthorized access to production deployment environments in vitess.io/vitess...

GO-2026-4564 Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet

Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet...

GO-2026-4410 apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko

apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko...

GO-2026-4532 New API has Potential XSS in its MarkdownRenderer component in github.com/QuantumNous/new-api

New API has Potential XSS in its MarkdownRenderer component in github.com/QuantumNous/new-api...

GO-2026-4434 EVE Seals Vault Key With SHA1 PCRs in github.com/lf-edge/eve

EVE Seals Vault Key With SHA1 PCRs in github.com/lf-edge/eve...

GO-2026-4408 melange pipeline working-directory could allow command injection in chainguard.dev/melange

melange pipeline working-directory could allow command injection in chainguard.dev/melange...