Launch Week Day 1: Announcing Security Design Review
Start for Free
go

github.com/juev/nebula-mesh

View on go registry
9 Total advisories
9 Vulnerabilities
0 Malware

Vulnerabilities

UNKNOWN
Go

GHSA-6vgg-xhvh-38ff

nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store
MEDIUM 5.5
Go

CVE-2026-47768

nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
UNKNOWN
Go

CVE-2026-48058

nebula-mesh: Session and OIDC state cookies lack the Secure attribute
UNKNOWN
Go

CVE-2026-48025

nebula-mesh: Decrypted CA private key persists in heap after signing
UNKNOWN
Go

CVE-2026-47726

nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator
UNKNOWN
Go

CVE-2026-47723

nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
UNKNOWN
Go

CVE-2026-47722

nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml
CRITICAL 9.9
Go

CVE-2026-47724

nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
UNKNOWN
Go

CVE-2026-47725

nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes