Go vulnerabilities | Corgea Advisories

LOW 3.8

Go

CVE-2026-45683

OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure

May 18, 2026

LOW 3.1

Go

CVE-2020-8562

Potential proxy IP restriction bypass in Kubernetes

Feb 2, 2022

LOW 3.1

Go

CVE-2021-25740

Confused Deputy in Kubernetes

Sep 21, 2021

LOW 3.9

Go

CVE-2026-30963

Capsule Namespace Hijacking via subresource

May 28, 2026

LOW 2.8

Go

GHSA-rc6v-5rmx-w5mv

arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS

May 15, 2026

LOW 3.7

Go

CVE-2026-42082

Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover

May 7, 2026

LOW 3.7

Go

CVE-2026-44474

Ella Core has handover failures during concurrent Security Mode Command

May 11, 2026

LOW 3.1

Go

GHSA-pxh5-6rrc-8rjv

OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server

May 20, 2026

LOW 3.7

Go

CVE-2023-30464

CoreDNS Cache Poisoning via a birthday attack

Sep 18, 2024

LOW 2.7

Go

CVE-2026-45723

Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic

Jun 5, 2026

LOW 3.7

Go

CVE-2026-4273

Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation

May 18, 2026

LOW 3.5

Go

CVE-2026-6333

Mattermost doesn't validate the Host header when constructing response URLs for custom slash command

May 18, 2026

LOW 3.1

Go

CVE-2026-4286

Mattermost doesn't check if {{team_id}} was being changed when updating playbooks

May 18, 2026

LOW 3.8

Go

CVE-2026-3495

Mattermost doesn't escape some variables that could contain malicious content during error page composition

May 18, 2026

LOW 3.1

Go

CVE-2026-6334

Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow

May 18, 2026

LOW 3.1

Go

CVE-2026-4053

Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields

May 15, 2026

LOW 3.5

Go

CVE-2026-45781

MCP Registry: OCI validator skips ownership check on upstream rate limits

May 19, 2026

LOW 3.1

Go

CVE-2026-24513

ingress-nginx has Improper Check for Unusual or Exceptional Conditions

Feb 4, 2026

LOW 3.5

Go

CVE-2026-45803

GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

May 19, 2026

LOW 3.7

Go

CVE-2026-8276

bettercap Has an Integer Coercion Error in modules/mysql_server/mysql_server.go

May 11, 2026

LOW 3.7

Go

CVE-2026-8275

bettercap Has an Integer Coercion Error in the ippReadChunkedBody Function

May 11, 2026

LOW 2.3

Go

CVE-2026-40243

Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots

May 4, 2026

LOW 3.7

Go

CVE-2026-41263

Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware

Apr 24, 2026

LOW 3.7

Go

CVE-2026-40263

Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

Apr 13, 2026

LOW 3.7

Go

CVE-2026-21388

Mattermost MS Teams plugin doesn't limit the request body size on the /lifecycle webhook endpoint

Apr 9, 2026

LOW 3.3

Go

CVE-2026-29051

melange has Path Traversal via .PKGINFO in --persist-lint-results

Apr 23, 2026

LOW 2.7

Go

CVE-2026-27769

Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace

Apr 17, 2026

LOW 3.1

Go

CVE-2026-39388

OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

Apr 21, 2026

LOW 2.0

Go

GO-2024-2703

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output

Apr 10, 2024

LOW 2.5

Go

CVE-2020-8912

In-band key negotiation issue in AWS S3 Crypto SDK for golang

Feb 11, 2022

LOW 3.1

Go

CVE-2026-39396

OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)

Apr 21, 2026

LOW 3.5

Go

CVE-2026-34454

OAuth2 Proxy's session cookies are not cleared when rendering sign-in page

Apr 14, 2026

LOW 3.1

Go

GHSA-hw5x-4r37-72w7

OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses

Apr 14, 2026

LOW 3.1

Go

CVE-2026-40109

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Apr 10, 2026

LOW 3.7

Go

CVE-2026-40097

Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Apr 10, 2026

LOW 3.5

Go

CVE-2026-40077

Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Apr 10, 2026

LOW 3.5

Go

CVE-2026-5468

Casdoor vulnerable to Stored XSS via Application formCss / formSideHtml

Apr 3, 2026

LOW 2.8

Go

CVE-2026-33762

go-git missing validation decoding Index v4 files leads to panic

Mar 30, 2026

LOW 2.7

Go

CVE-2026-34762

Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber

Apr 1, 2026

LOW 3.8

Go

CVE-2025-14573

Mattermost fails to enforce invite permissions when updating team settings

Feb 16, 2026

LOW 3.1

Go

CVE-2025-41423

Mattermost Playbooks fails to properly validate permissions

Apr 24, 2025

LOW 3.4

Go

CVE-2025-52889

Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks

Jun 26, 2025

LOW 3.3

Go

CVE-2026-33529

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Mar 25, 2026

LOW 3.3

Go

CVE-2025-54410

Moby firewalld reload removes bridge network isolation

Jul 29, 2025

LOW 3.6

Go

CVE-2026-31863

Anytype Heart's gRPC API client challenge verification can be bypassed on localhost

Mar 11, 2026

LOW 3.1

Go

CVE-2026-22545

Mattermost fails to validate user's authentication method when processing account auth type switch

Mar 16, 2026

LOW 3.0

Go

CVE-2021-41190

Clarify Content-Type handling

Nov 18, 2021

LOW 3.7

Go

CVE-2020-15106

Panic due to malformed WALs in go.etcd.io/etcd

Feb 7, 2023

LOW 3.4

Go

CVE-2020-15186

Improper Sanitizing of plugin names in helm

May 24, 2021

LOW 2.2

Go

CVE-2020-15185

Repository index file allows for duplicates of the same chart entry in helm

May 24, 2021

LOW 2.8

Go

CVE-2021-41089

`docker cp` allows unexpected chmod of host files in Moby Docker Engine

Jun 10, 2024

LOW 3.7

Go

CVE-2020-15184

Aliases are never checked in helm

May 24, 2021

LOW 3.7

Go

CVE-2020-4053

Plugin archive directory traversal in Helm

Jun 23, 2021

LOW 3.1

Go

CVE-2020-5303

Denial of service in Tendermint

May 27, 2021

LOW 2.7

Go

CVE-2024-22261

SQL Injection in Harbor scan log API

Jun 2, 2024

LOW 3.0

Go

CVE-2020-15187

plugin.yaml file allows for duplicate entries in helm

May 24, 2021

LOW 3.8

Go

CVE-2025-67860

NeuVector scanner insecurely handles passwords as command arguments

Feb 12, 2026

LOW 3.1

Go

CVE-2025-14822

Mattermost is vulnerable to CPU exhaustion via crafted HTTP request

Jan 16, 2026

LOW 3.1

Go

CVE-2026-20796

Mattermost doesn't properly validate channel membership at the time of data retrieval

Feb 13, 2026

LOW 3.7

Go

CVE-2026-24122

Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped

Feb 19, 2026

Know every threat before it ships

OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure

Potential proxy IP restriction bypass in Kubernetes

Confused Deputy in Kubernetes

Capsule Namespace Hijacking via subresource

arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS

Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover

Ella Core has handover failures during concurrent Security Mode Command

OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server

CoreDNS Cache Poisoning via a birthday attack

Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic

Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation

Mattermost doesn't validate the Host header when constructing response URLs for custom slash command

Mattermost doesn't check if {{team_id}} was being changed when updating playbooks

Mattermost doesn't escape some variables that could contain malicious content during error page composition

Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow

Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields

MCP Registry: OCI validator skips ownership check on upstream rate limits

ingress-nginx has Improper Check for Unusual or Exceptional Conditions

GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

bettercap Has an Integer Coercion Error in modules/mysql_server/mysql_server.go

bettercap Has an Integer Coercion Error in the ippReadChunkedBody Function

Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots

Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware

Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

Mattermost MS Teams plugin doesn't limit the request body size on the /lifecycle webhook endpoint

melange has Path Traversal via .PKGINFO in --persist-lint-results

Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace

OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output

In-band key negotiation issue in AWS S3 Crypto SDK for golang

OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)

OAuth2 Proxy's session cookies are not cleared when rendering sign-in page

OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Casdoor vulnerable to Stored XSS via Application formCss / formSideHtml

go-git missing validation decoding Index v4 files leads to panic

Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber

Mattermost fails to enforce invite permissions when updating team settings

Mattermost Playbooks fails to properly validate permissions

Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Moby firewalld reload removes bridge network isolation

Anytype Heart's gRPC API client challenge verification can be bypassed on localhost

Mattermost fails to validate user's authentication method when processing account auth type switch

Clarify Content-Type handling

Panic due to malformed WALs in go.etcd.io/etcd

Improper Sanitizing of plugin names in helm

Repository index file allows for duplicates of the same chart entry in helm

`docker cp` allows unexpected chmod of host files in Moby Docker Engine

Aliases are never checked in helm

Plugin archive directory traversal in Helm

Denial of service in Tendermint

SQL Injection in Harbor scan log API

plugin.yaml file allows for duplicate entries in helm

NeuVector scanner insecurely handles passwords as command arguments

Mattermost is vulnerable to CPU exhaustion via crafted HTTP request

Mattermost doesn't properly validate channel membership at the time of data retrieval

Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped

Start Securing