CVE-2026-48708

OliveTin is affected by a race condition in the template engine. In versions up to 3000.0.0, a single shared text/template.Template instance (tpl) is used across all goroutines, and actions perform tpl.Parse(source) followed by t.Execute() without synchronization. Under concurrent ExecRequests, t...

GHSA-HF2G-6J7H-98WG klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS

Summary networkMessenger.directMessageHandler in network/p2p/libp2p/netMessenger.go spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight spawns. A single connected libp...

PT-2026-48346

Summary networkMessenger.directMessageHandler in network/p2p/libp2p/netMessenger.go spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight spawns. A single connected libp...

CVE-2026-32934

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...

CVE-2026-32934

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...

CVE-2026-32934

CoreDNS prior to version 1.14.3 is vulnerable: the DNS-over-QUIC (DoQ) server can spawn unbounded goroutines/memory growth when a remote client opens many QUIC streams and sends 1 byte per stream. With a full worker pool, CoreDNS still creates a goroutine per stream to wait for a worker token, an...

CVE-2026-32934

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a...

CoreDNS 安全漏洞

CoreDNS is a DNS server within the CoreDNS community. Versions of CoreDNS prior to 1.14.3 contained a security vulnerability. This vulnerability stemmed from the DNS-over-QUIC server, where remote clients opened numerous QUIC streams and sent only 1 byte of data. This could lead to unlimited...

Astra Linux - Vulnerability in Golang-1.19

A malicious HTTP/2 client that quickly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is limited by the http2.Server.MaxConcurrentStreams setting, resetting an ongoing request allows the attacker to create a new...

PT-2026-37094

Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.14.3 Description The DNS-over-QUIC DoQ server can be driven into unbounded goroutine and memory growth by an unauthenticated remote attacker. This occurs when a client opens numerous QUIC streams and sends only one...

SUSE CVE-2026-26999

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared befor...

CVE-2026-26999 Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (slowloris doS)

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared befor...

PT-2026-23084

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.38 and versions prior to 3.6.9 Description Traefik, an HTTP reverse proxy and load balancer, has an issue in its handling of TLS handshakes on TCP routers. The read deadline used for protocol sniffing is cleared...

emp3r0r 安全漏洞

emp3r0r is a Linux framework tool developed by Jimmy Mi. Versions of emp3r0r prior to 3.21.2 contained security vulnerabilities. These vulnerabilities stemmed from inconsistent synchronization among multiple shared mappings when accessed by goroutines, which could lead to concurrent mapping...

BIT-GRAFANA-2026-21720 Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel...

PT-2026-20560

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel...

Linux Distros Unpatched Vulnerability : CVE-2026-21720

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three...

CVE-2026-21720

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel...

CVE-2026-21720

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel...

CVE-2026-21720

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel...