go
go
- CVE-2026-50551 - SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
- CVE-2026-54063 - Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
- CVE-2026-54066 - SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CV
- CVE-2026-54067 - SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
- CVE-2026-54069 - SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
- CVE-2026-54070 - SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
- CVE-2026-54072 - Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
- CVE-2026-54088 - File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
- CVE-2026-54089 - File Browser: Authentication Bypass via Proxy Auth Header Forgery
- CVE-2026-54158 - SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
- CVE-2026-54174 - melange: Incomplete package integrity verification allows data section substitution
- CVE-2026-55229 - Gotenberg is a Docker-powered stateless API for PDF files
- CVE-2026-55882 - Tilt defines dev environments as code for microservice apps on Kubernetes
- CVE-2026-56254 - In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the p
- CVE-2026-56261 - Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /
- CVE-2026-56279 - Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function
- CVE-2026-56305 - Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that all
- CVE-2026-56335 - Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly
- CVE-2026-59161 - Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets
- CVE-2026-50553 - Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)
- CVE-2026-59726 - Ruflo is an agent meta-harness for Claude Code and Codex
- CVE-2026-59832 - SiYuan is an open-source personal knowledge management system
- CVE-2026-50197 - Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
- CVE-2026-52831 - Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE
- CVE-2026-53649 - Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
- CVE-2026-54784 - CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core
- CVE-2026-33655 - New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
- CVE-2026-53552 - Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers
- CVE-2026-53553 - Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
- CVE-2026-20896 - Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowin
- CVE-2026-44454 - Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
- CVE-2026-14363 - Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wiki
- CVE-2026-53488 - containerd is an open-source container runtime
- CVE-2026-58521 - Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wiki
- CVE-2026-27957 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-49478 - Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Se
- CVE-2026-49821 - Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
- CVE-2026-49822 - Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
- CVE-2026-49823 - Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
- CVE-2026-49824 - Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
- CVE-2026-50545 - Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover
- CVE-2026-50563 - Fission Container Executor Function PodSpec Injection Leading to Node Escape
- CVE-2026-50564 - Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
- CVE-2026-50566 - Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation
- CVE-2026-56219 - Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac functio
- CVE-2026-56230 - Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accep
- CVE-2026-56233 - Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenti
- CVE-2026-56247 - Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role s
- CVE-2026-56249 - Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that all
- CVE-2026-56286 - Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that al
- CVE-2026-56300 - Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for
- CVE-2026-56320 - Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supp
- CVE-2026-58165 - OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows aut
- CVE-2026-44840 - Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
- CVE-2026-55092 - Trivy security control bypass
- CVE-2026-49338 - gonic playlist path traversal
- CVE-2026-49339 - gonic playlist ownership bypass
- CVE-2026-49340 - gonic playlist arbitrary file write
- CVE-2026-53519 - Nezha dashboard path traversal leaks JWT secret
- GHSA-q6xx-5vr8-p898 - Nezha WebSocket stream ownership bypass
- CVE-2026-39830 - Go x/crypto ssh unsolicited response deadlock
- CVE-2026-39831 - Go x/crypto ssh FIDO presence bypass
- CVE-2026-39832 - Go x/crypto ssh agent forwarded constraint loss
- CVE-2026-39833 - Go x/crypto ssh agent confirm constraint bypass
- CVE-2026-39834 - Go x/crypto ssh large channel write infinite loop
- CVE-2026-42508 - Go x/crypto knownhosts revoked CA bypass
- CVE-2026-45405 - Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supp
- CVE-2026-45406 - Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openre
- CVE-2026-46386 - OpenProject is open-source, web-based project management software
- CVE-2026-46595 - Go x/crypto ssh VerifiedPublicKeyCallback auth bypass
- CVE-2026-48749 - Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image
- CVE-2026-48750 - Incus has an arbitrary file write on host via exec-output symlink in crafted image
- CVE-2026-48751 - Incus has a restricted project bypass leading to arbitrary command execution
- CVE-2026-48752 - Incus has arbitrary file read+write on host via templates/ symlink in malicious image
- CVE-2026-48753 - Incus has an arbitrary file write via path traversal in S3 multipart upload
- CVE-2026-48755 - Incus has an argument injection in backup compression algorithm leading to AFW and ACE
- CVE-2026-48769 - Incus has an arbitrary file write on its client due to trusted image hash
- CVE-2026-48788 - Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
- CVE-2026-49258 - Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)
- CVE-2026-53576 - Kestra is an open-source, event-driven orchestration platform
- CVE-2026-54350 - Budibase is an open-source low-code platform
- CVE-2026-54636 - Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to man
- CVE-2026-39829 - golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS
- CVE-2026-46597 - golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic
- CVE-2026-48702 - Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic
- CVE-2026-48708 - OliveTin template race command contamination
- CVE-2026-53145 - In the Linux kernel, the following vulnerability has been resolved: drm/gem: Try to fix change_handle ioctl, a
- CVE-2026-53176 - In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than I
- CVE-2026-6325 - Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a
- CVE-2026-50189 - Appsmith is a platform to build admin panels, internal tools, and dashboards
- CVE-2026-53090 - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ld_{abs,ind} failure path analysi
- CVE-2023-54365 - Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handl
- CVE-2026-52806 - Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
- CVE-2026-53754 - Crawl4AI is an open-source LLM friendly web crawler & scraper
- CVE-2026-53755 - Crawl4AI is an open-source LLM friendly web crawler & scraper
- CVE-2026-53999 - Radius controller confused-deputy delete
- CVE-2026-54090 - File Browser shell metacharacter command injection
- CVE-2026-47252 - Anyquery browser plugin AppleScript/JXA injection
- CVE-2026-47724 - nebula-mesh API ownership authorization bypass
- CVE-2026-49396 - Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents
- CVE-2026-44210 - Kata virtiofsd annotation VM escape
- CVE-2026-33032 - nginx-ui MCP auth bypass
- CVE-2026-45803 - GitHub CLI Actions log terminal escape injection
- GHSA-hf2g-6j7h-98wg - Klever-Go direct-message goroutine DoS
- GHSA-rm5c-5x2p-48wr - Klever-Go P2P nil RawData DoS
- GHSA-w4c6-7r69-w7j9 - Klever-Go REST API slow-header DoS
- CVE-2026-30861 - WeKnora MCP stdio command injection
- CVE-2026-48119 - Nezha service-monitor result forgery
- CVE-2026-48501 - GitHub CLI TUF token leakage
- CVE-2026-46243 - In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego
- CVE-2026-46384 - iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled
- CVE-2026-46385 - iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attac
- CVE-2026-46117 - In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON
- CVE-2026-9094 - Casdoor: GetTokenExchangeToken bypass through lack of cross-organization JWT signature check
- CVE-2026-3473 - Mattermost doesn't validate file ownership and access control
- CVE-2026-5308 - Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
- CVE-2026-5740 - Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
- CVE-2026-7374 - KubeVirt has a Link Following vulnerability
- CVE-2026-46716 - Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
- CVE-2026-46717 - Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
- CVE-2026-42595 - Gotenberg Chromium URL SSRF
- CVE-2026-44542 - FileBrowser public share DELETE path traversal
- CVE-2026-42294 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-42296 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-42297 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-42274 - Heimdall policy interpretation bypass cluster
- CVE-2026-33811 - When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C me
- CVE-2026-42880 - Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes
- CVE-2025-71261 - Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
- CVE-2026-43226 - In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR
- CVE-2026-40884 - goshs empty-username SFTP authentication bypass
- CVE-2026-39383 - Gotenberg webhook SSRF
- CVE-2026-39858 - Traefik forwarded alias auth bypass
- CVE-2026-40280 - Gotenberg SSRF deny-list bypass
- CVE-2026-40281 - Gotenberg ExifTool argument injection
- CVE-2026-41589 - Wish SCP path traversal
- CVE-2026-42461 - Arcane Compose template secret disclosure
- CVE-2026-42560 - go-pkgz/auth Patreon identity collision
- GHSA-74m3 - zrok WebDAV DriveRoot symlink escape
- CVE-2026-41602 - Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This
- CVE-2026-40886 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-41246 - Contour is a Kubernetes ingress controller using Envoy proxy
- CVE-2026-40611 - Let's Encrypt client and ACME library written in Go (Lego)
- CVE-2026-35469 - spdystream is a Go library for multiplexing streams over SPDY connections
- CVE-2026-27806 - Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
- CVE-2026-39883 - OpenTelemetry-Go is the Go implementation of OpenTelemetry
- CVE-2026-29181 - OpenTelemetry-Go is the Go implementation of OpenTelemetry
- CVE-2026-33815 - pgx contains memory-safety vulnerability
- CVE-2026-34742 - The Go MCP SDK used Go's standard encoding/json
- CVE-2026-33487 - goxmlsig provides XML Digital Signatures implemented in Go
- CVE-2026-33186 - gRPC-Go is the Go language implementation of gRPC
- CVE-2026-28229 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-31892 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2025-15558 - Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that doe
- CVE-2026-28400 - Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker
- CVE-2026-28406 - kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster
- CVE-2026-27896 - The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in ver
- CVE-2025-61732 - A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo
- CVE-2025-61731 - Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial
- CVE-2025-4948 - A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commo
- CVE-2024-52009 - Git credentials are exposed in Atlantis logs