SUSE-SU-2026:2079-1 Security update for go1.25-openssl

This update for go1.25-openssl fixes the following issues Security issues: - CVE-2026-33811: net: crash when handling long CNAME response bsc1264508. - CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1264506. - CVE-2026-39817: cmd/go: 'go tool...

ROOT-APP-GOBINARY-CVE-2026-42154 CVE-2026-42154 in rootio-github.com/prometheus/prometheus - Patched by Root

Root has patched CVE-2026-42154 in the rootio-github.com/prometheus/prometheus package for Root:Go. Multiple fixed versions available...

SUSE SLES15 Security Update : zypper-docker (SUSE-SU-2026:1951-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1951-1 advisory. This update for zypper-docker fixes the following issues - CVE-2026-2808: github.com/hashicorp/consul: unvalidated user-supplied fi...

ROOT-APP-GOBINARY-CVE-2025-32445 CVE-2025-32445 in rootio-github.com/argoproj/argo-events - Patched by Root

Root has patched CVE-2025-32445 in the rootio-github.com/argoproj/argo-events package for Root:Go. Multiple fixed versions available...

MAL-2026-3624 Malicious code in github.com/BufferZoneCorp/go-stdlib-ext (Go)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a4e4f74e90479d472a307d311d48214827e21cf93ecf9b0b62ff2cb72adb2c9e This package is a malicious packages part of the Go BufferZoneCorp and RubyGems knot-theory clusters. The packages in this cluster steal...

OPENSUSE-SU-2026:20711-1 Security update for hauler

This update for hauler fixes the following issues: Changes in hauler: - update to 1.4.3 bsc1262353, CVE-2026-39984, bsc1262942, CVE-2026-34986: 1.4 Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in the gomodules group across 1 directory 1.4 Bump github.com/sigstore/timestamp-authority/v2...

SUSE CVE-2026-33487

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version,...

GO-2026-4696 Gokapi vulnerable to Privilege Escalation in File Replace in github.com/forceu/gokapi

Gokapi vulnerable to Privilege Escalation in File Replace in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanner...

GO-2026-4689 Tinyauth's OIDC authorization codes are not bound to client on token exchange in github.com/steveiliop56/tinyauth

Tinyauth's OIDC authorization codes are not bound to client on token exchange in github.com/steveiliop56/tinyauth. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive report...

SUSE CVE-2026-23644

esm.sh is a no-build content delivery network CDN for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. path.Clean normalizes a path but does not prevent absolute paths in a malicious tar file...

go.sum Is Not a Lockfile

I need everyone to stop looking at go.sum, especially to analyze dependency graphs. It is not a “lockfile,”1 and it has zero semantic effects on version resolution. There is truly no use case for ever parsing it outside of cmd/go. go.sum is only a local cache for the Go Checksum Database. It’s a...

OPENSUSE-SU-2025:20177-1 Security update for cheat

This update for cheat fixes the following issues: - Security: CVE-2025-47913: Fix client process termination bsc1253593 CVE-2025-58181: Fix potential unbounded memory consumption bsc1253922 CVE-2025-47914: Fix panic due to an out of bounds read bsc1254051 Replace...

GO-2025-4212 ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel

ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

GO-2025-4083 Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel

Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, pleas...

GO-2025-4035 Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabili...

EUVD-2022-6978

Malicious code in bioql PyPI...

EUVD-2024-22164

Malicious code in bioql PyPI...

EUVD-2025-3035

Malicious code in bioql PyPI...

EUVD-2024-0395

Malicious code in bioql PyPI...

CVE-2025-9412

A vulnerability was detected in lostvip-com ruoyi-go up to 2.1. This affects the function SelectListByPage of the file modules/system/dao/DictDataDao.go. The manipulation of the argument orderByColumn/isAsc results in sql injection. The attack can be launched remotely. The exploit is now public a...