CVE-2026-41602

CVE-2026-41602: Integer Overflow or Wraparound in Apache Thrift Go TFramedTransport (uint32 overflow) affecting Thrift before 0.23.0. Affected component: Apache Thrift’s Go TFramedTransport implementation. Root cause: uint32 overflow/wraparound in framing transport handling. Impact: potential ove...

CLEANSTART-2026-CD13174 gRPC-Go is the Go language implementation of gRPC

Multiple security vulnerabilities affect the prometheus package. gRPC-Go is the Go language implementation of gRPC. See references for individual vulnerability details...

CIRCL 安全漏洞

CIRCL is an open-source collection of cryptographic primitives written in Go by Cloudflare. CIRCL has a security vulnerability, which stems from the CombinedMult function generating incorrect values for specific inputs, potentially leading to computational errors...

Linux Distros Unpatched Vulnerability : CVE-2026-26014

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES...

Exploit for Deserialization of Untrusted Data in Facebook React

next88 - React Server Components RCE Scanner High-performance...

CVE-2025-64702

CVE-2025-64702 affects quic-go (Go QUIC implementation) and is documented across multiple feeds. The issue occurs in versions 0.56.0 and earlier where the HTTP/3 client and server decode QPACK HEADERS frames into http.Header without enforcing a decoded-header size limit, leading to memory exhaust...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182: React Server Components RCE Scanner A compreh...

Claude Code Can Debug Low-level Cryptography

Over the past few days I wrote a new Go implementation of ML-DSA, a post-quantum signature algorithm specified by NIST last summer. I livecoded it all over four days, finishing it on Thursday evening. Except… Verify was always rejecting valid signatures. $ bin/go test crypto/internal/fips140/mlds...

PT-2025-41573

Name of the Vulnerable Software and Affected Versions quic-go versions prior to 0.49.0 quic-go versions prior to 0.54.1 quic-go versions prior to 0.55.0 Description quic-go is an implementation of the QUIC protocol in Go. In affected versions, a malicious or misbehaving server can cause a...

EUVD-2024-3494

Malicious code in bioql PyPI...

EUVD-2024-1180

Malicious code in bioql PyPI...

EUVD-2024-2931

Malicious code in bioql PyPI...

Exploit for CVE-2024-28397

CVE-2024-28397 js2py Sandbox Escape Exploit A collection of e...

ALSA-2025:9150 Moderate: gvisor-tap-vsock security update

A replacement for libslirp and VPNKit, written in pure Go. It is based on the network stack of gVisor. Compared to libslirp, gvisor-tap-vsock brings a configurable DNS server and dynamic port forwarding. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in...

CVE-2025-29785

quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different...

Important: runfinch-finch

Issue Overview: golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose Authorization header consist...

Snowflake gosnowflake 安全漏洞

Snowflake gosnowflake is a golang implementation of the id issuer from Snowflake USA. A security vulnerability exists in Snowflake gosnowflake versions prior to 1.7.0 through 1.13.3, which stems from a TOCTOU contention condition that could result in log configuration being overwritten...

CBL Mariner 2.0 Security Update: coredns (CVE-2024-53259)

The version of coredns installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-53259 advisory. - quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too...

Amazon Linux 2 : docker (ALASECS-2025-048)

The version of docker installed on the remote host is prior to 25.0.8-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2ECS-2025-048 advisory. golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to...

Azure Linux 3.0 Security Update: coredns (CVE-2024-22189)

The version of coredns installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-22189 advisory. - quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its...