Go vulnerabilities | Corgea Advisories

UNKNOWN

Go

CVE-2026-54090

File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

Jun 12, 2026

MEDIUM 5.0

Go

CVE-2026-48096

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Jun 11, 2026

MEDIUM 6.1

Go

CVE-2026-41568

Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

May 18, 2026

HIGH 7.2

Go

CVE-2026-42306

Docker: Race condition in docker cp allows bind mount redirection to host path

May 18, 2026

HIGH 7.5

Go

CVE-2026-54091

File Browser has incorrect access control for public directory shares via rule path rebasing

Jun 12, 2026

UNKNOWN

Go

CVE-2026-54093

File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames

Jun 12, 2026

MEDIUM 6.5

Go

CVE-2026-54092

File Browser has a DoS Vulnerability via Public Login API

Jun 12, 2026

MEDIUM 6.8

Go

CVE-2026-54094

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope

Jun 12, 2026

UNKNOWN

Go

CVE-2026-54097

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

Jun 12, 2026

MEDIUM 6.5

Go

CVE-2026-46371

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Jun 12, 2026

UNKNOWN

Go

CVE-2026-54096

File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path

Jun 12, 2026

MEDIUM 6.5

Go

CVE-2026-46370

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

Jun 12, 2026

UNKNOWN

Go

CVE-2026-44981

CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression

May 27, 2026

HIGH 7.7

Go

CVE-2026-53999

Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)

Jun 12, 2026

MEDIUM 4.4

Go

CVE-2026-47190

IPAM controller service account granted unnecessary full access to Secrets

May 29, 2026

HIGH 7.5

Go

CVE-2026-32936

CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification

Apr 28, 2026

UNKNOWN

Go

GHSA-6vgg-xhvh-38ff

nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store

Jun 12, 2026

MEDIUM 5.9

Go

CVE-2026-48154

gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)

Jun 12, 2026

UNKNOWN

Go

CVE-2026-48113

Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection

Jun 12, 2026

MEDIUM 6.8

Go

GHSA-9r4w-jg96-92mv

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

Jun 12, 2026

UNKNOWN

Go

CVE-2025-68121

Unexpected session resumption in crypto/tls

Feb 5, 2026

UNKNOWN

Go

CVE-2026-25679

Incorrect parsing of IPv6 host literals in net/url

Mar 6, 2026

UNKNOWN

Go

CVE-2025-61728

Excessive CPU consumption when building archive index in archive/zip

Jan 28, 2026

UNKNOWN

Go

CVE-2025-61729

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Dec 2, 2025

UNKNOWN

Go

CVE-2025-61726

Memory exhaustion in query parameter parsing in net/url

Jan 28, 2026

HIGH 7.7

Go

CVE-2026-47701

OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth

Jun 10, 2026

HIGH 8.0

Go

CVE-2026-11401

AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance

Jun 11, 2026

UNKNOWN

Go

CVE-2026-48089

DevGuard has improper authorization on public assets

Jun 11, 2026

UNKNOWN

Go

CVE-2026-32934

CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns

May 20, 2026

UNKNOWN

Go

CVE-2026-48050

Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Jun 11, 2026

UNKNOWN

Go

CVE-2026-46668

SpiceDB: Caveat structures with nested lists can result in improper cache reuse

May 21, 2026

UNKNOWN

Go

CVE-2026-48020

Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization

Jun 11, 2026

UNKNOWN

Go

CVE-2026-47780

free5GC UDR has improper `ueId` validation in EE subscription handlers that allows arbitrary identifier persistence

Jun 11, 2026

UNKNOWN

Go

CVE-2026-32280

Unexpected work during chain building in crypto/x509

Apr 7, 2026

MEDIUM 5.5

Go

CVE-2026-47768

nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)

Jun 10, 2026

UNKNOWN

Go

CVE-2026-47753

Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted)

Jun 10, 2026

UNKNOWN

Go

CVE-2026-48058

nebula-mesh: Session and OIDC state cookies lack the Secure attribute

Jun 10, 2026

CRITICAL 9.8

Go

CVE-2026-46614

Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger

May 21, 2026

HIGH 8.1

Go

CVE-2026-45062

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

May 15, 2026

HIGH 8.8

Go

CVE-2026-46612

Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives

May 21, 2026

UNKNOWN

Go

CVE-2026-46617

Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read

May 21, 2026

UNKNOWN

Go

CVE-2026-46618

Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables

May 21, 2026

UNKNOWN

Go

CVE-2026-48025

nebula-mesh: Decrypted CA private key persists in heap after signing

Jun 10, 2026

HIGH 7.3

Go

CVE-2026-47253

Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion

Jun 10, 2026

MEDIUM 5.3

Go

CVE-2026-49397

Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

Jun 10, 2026

CRITICAL 9.1

Go

CVE-2026-48031

Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery

Jun 10, 2026

HIGH 7.1

Go

CVE-2026-49396

Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents

Jun 10, 2026

UNKNOWN

Go

CVE-2024-8063

Ollama Divide by Zero Vulnerability in github.com/ollama/ollama

May 15, 2025

UNKNOWN

Go

CVE-2025-51471

Ollama vulnerable to Cross-Domain Token Exposure in github.com/ollama/ollama

Jul 30, 2025

UNKNOWN

Go

CVE-2025-44779

Ollama allows deletion of arbitrary files in github.com/ollama/ollama

Aug 11, 2025

UNKNOWN

Go

CVE-2025-1975

Ollama Server Vulnerable to Denial of Service (DoS) Attack in github.com/ollama/ollama

May 22, 2025

UNKNOWN

Go

CVE-2026-32282

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Apr 7, 2026

UNKNOWN

Go

CVE-2026-32283

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

Apr 7, 2026

UNKNOWN

Go

CVE-2026-39826

Escaper bypass leads to XSS in html/template

May 7, 2026

HIGH 8.7

Go

GHSA-7qjx-gp9h-65qj

Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

Jun 9, 2026

UNKNOWN

Go

CVE-2026-39824

Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

May 22, 2026

Know every threat before it ships

File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

Docker: Race condition in docker cp allows bind mount redirection to host path

File Browser has incorrect access control for public directory shares via rule path rebasing

File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames

File Browser has a DoS Vulnerability via Public Login API

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression

Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)

IPAM controller service account granted unnecessary full access to Secrets

CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification

nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store

gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)

Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

Unexpected session resumption in crypto/tls

Incorrect parsing of IPv6 host literals in net/url

Excessive CPU consumption when building archive index in archive/zip

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Memory exhaustion in query parameter parsing in net/url

OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth

AWS Advanced Go Wrapper has Privilege Escalation in Aurora PostgreSQL instance

DevGuard has improper authorization on public assets

CoreDNS' DoQ worker pool does not bound stream backlog in github.com/coredns/coredns

Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

SpiceDB: Caveat structures with nested lists can result in improper cache reuse

Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization

free5GC UDR has improper `ueId` validation in EE subscription handlers that allows arbitrary identifier persistence

Unexpected work during chain building in crypto/x509

nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)

Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted)

nebula-mesh: Session and OIDC state cookies lack the Secure attribute

Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger

FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files

Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives

Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read

Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables

nebula-mesh: Decrypted CA private key persists in heap after signing

Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion

Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery

Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents

Ollama Divide by Zero Vulnerability in github.com/ollama/ollama

Ollama vulnerable to Cross-Domain Token Exposure in github.com/ollama/ollama

Ollama allows deletion of arbitrary files in github.com/ollama/ollama

Ollama Server Vulnerable to Denial of Service (DoS) Attack in github.com/ollama/ollama

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

Escaper bypass leads to XSS in html/template

Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

Start Securing