Go vulnerabilities | Corgea Advisories

MEDIUM 5.0

Go

CVE-2026-48096

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Jun 11, 2026

MEDIUM 6.1

Go

CVE-2026-41568

Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

May 18, 2026

MEDIUM 6.5

Go

CVE-2026-54092

File Browser has a DoS Vulnerability via Public Login API

Jun 12, 2026

MEDIUM 6.8

Go

CVE-2026-54094

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope

Jun 12, 2026

MEDIUM 6.5

Go

CVE-2026-46371

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Jun 12, 2026

MEDIUM 6.5

Go

CVE-2026-46370

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

Jun 12, 2026

MEDIUM 4.4

Go

CVE-2026-47190

IPAM controller service account granted unnecessary full access to Secrets

May 29, 2026

MEDIUM 5.9

Go

CVE-2026-48154

gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)

Jun 12, 2026

MEDIUM 6.8

Go

GHSA-9r4w-jg96-92mv

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

Jun 12, 2026

MEDIUM 5.5

Go

CVE-2026-47768

nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)

Jun 10, 2026

MEDIUM 5.3

Go

CVE-2026-49397

Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

Jun 10, 2026

MEDIUM 6.9

Go

CVE-2025-51471

Ollama vulnerable to Cross-Domain Token Exposure

Jul 22, 2025

MEDIUM 6.6

Go

CVE-2025-44779

Ollama allows deletion of arbitrary files

Aug 7, 2025

MEDIUM 6.1

Go

CVE-2026-44245

Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component

May 6, 2026

MEDIUM 5.3

Go

CVE-2026-40898

quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

Jun 3, 2026

MEDIUM 5.3

Go

CVE-2026-41178

opentelemetry-go's baggage parsing no longer caps raw header length

May 28, 2026

MEDIUM 5.3

Go

CVE-2026-33221

Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload

Mar 18, 2026

MEDIUM 5.9

Go

CVE-2026-45680

OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

May 18, 2026

MEDIUM 5.1

Go

CVE-2026-45682

OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals

May 18, 2026

MEDIUM 6.5

Go

CVE-2026-45679

OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages

May 18, 2026

MEDIUM 4.9

Go

CVE-2026-45684

OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers

May 18, 2026

MEDIUM 5.5

Go

CVE-2026-45676

OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent

May 18, 2026

MEDIUM 5.9

Go

CVE-2026-45681

OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size

May 18, 2026

MEDIUM 5.0

Go

CVE-2020-8554

Unverified Ownership in Kubernetes

Feb 8, 2022

MEDIUM 4.1

Go

CVE-2020-8561

Confused Deputy in Kubernetes

Sep 21, 2021

MEDIUM 6.5

Go

CVE-2026-44740

go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion

May 13, 2026

MEDIUM 6.3

Go

CVE-2026-45626

Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter

May 18, 2026

MEDIUM 6.5

Go

CVE-2026-44884

Portainer missing authorization on custom template file endpoint, which exposes template content

May 14, 2026

MEDIUM 5.5

Go

CVE-2026-44885

Portainer has a path traversal in backup archive extraction that allows arbitrary file write

May 14, 2026

MEDIUM 6.5

Go

CVE-2026-44317

free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference

May 8, 2026

MEDIUM 6.2

Go

CVE-2026-42328

go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

May 7, 2026

MEDIUM 6.1

Go

CVE-2026-44475

Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest

May 11, 2026

MEDIUM 4.3

Go

CVE-2026-44323

free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)

May 8, 2026

MEDIUM 6.1

Go

CVE-2026-42081

Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest

May 7, 2026

MEDIUM 6.5

Go

CVE-2026-44324

free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)

May 8, 2026

MEDIUM 5.5

Go

CVE-2026-45046

Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content

May 11, 2026

MEDIUM 5.4

Go

CVE-2026-45571

go-git: Crafted repositories may modify main and submodule .git directories

May 19, 2026

MEDIUM 6.8

Go

CVE-2026-44247

Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size

May 8, 2026

MEDIUM 6.1

Go

CVE-2026-44903

Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display

May 5, 2026

MEDIUM 4.4

Go

CVE-2026-41164

nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token

May 5, 2026

MEDIUM 4.9

Go

CVE-2026-42600

MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint

May 5, 2026

MEDIUM 4.3

Go

CVE-2026-46431

Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

May 20, 2026

MEDIUM 6.5

Go

CVE-2026-44318

free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions

May 8, 2026

MEDIUM 5.3

Go

CVE-2026-42592

Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes

May 7, 2026

MEDIUM 5.5

Go

CVE-2026-41646

Nuclei: Local File Read via require() Module Loader Bypass

Apr 22, 2026

MEDIUM 4.1

Go

CVE-2026-35601

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output

Apr 10, 2026

MEDIUM 5.3

Go

CVE-2025-31135

Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times

Apr 1, 2025

MEDIUM 6.5

Go

CVE-2024-34352

1Panel arbitrary file write vulnerability

May 9, 2024

MEDIUM 5.9

Go

CVE-2026-49343

Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS

Jun 5, 2026

MEDIUM 5.4

Go

CVE-2026-47671

Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets

Jun 4, 2026

MEDIUM 4.8

Go

CVE-2026-47215

Singluarity: Incorrect path matching for 'limit container paths' directive

Jun 4, 2026

MEDIUM 4.9

Go

CVE-2026-42876

ExternalSecrets vulnerable to privilege escalation with secret overwriting

May 8, 2026

MEDIUM 6.5

Go

GHSA-w5pp-99ch-qj29

go-git: Malformed Git object data may cause panics or resource exhaustion

May 29, 2026

MEDIUM 4.3

Go

CVE-2026-2325

Mattermost doesn't limit the size of the request body on the start meeting API endpoint

May 18, 2026

MEDIUM 4.3

Go

CVE-2026-28759

Mattermost does not verify remote cluster channel access when processing shared channel membership removals

May 18, 2026

MEDIUM 4.3

Go

CVE-2026-6343

Mattermost doesn't check public/private permissions

May 18, 2026

MEDIUM 6.5

Go

CVE-2026-6345

Mattermost doesn't prevent disclosure of created user password

May 18, 2026

MEDIUM 6.5

Go

CVE-2026-5163

Mattermost doesn't verify channel membership when processing AI-assisted message rewrites

May 18, 2026

MEDIUM 4.3

Go

CVE-2026-6339

Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint

May 18, 2026

MEDIUM 4.3

Go

CVE-2026-28732

Mattermost doesn't enforce slash command trigger-word uniqueness during command updates

May 18, 2026

Know every threat before it ships

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

File Browser has a DoS Vulnerability via Public Login API

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

IPAM controller service account granted unnecessary full access to Secrets

gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)

Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

Ollama vulnerable to Cross-Domain Token Exposure

Ollama allows deletion of arbitrary files

Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component

quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

opentelemetry-go's baggage parsing no longer caps raw header length

Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload

OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals

OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages

OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers

OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent

OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size

Unverified Ownership in Kubernetes

Confused Deputy in Kubernetes

go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion

Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter

Portainer missing authorization on custom template file endpoint, which exposes template content

Portainer has a path traversal in backup archive extraction that allows arbitrary file write

free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference

go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest

free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)

Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest

free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)

Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content

go-git: Crafted repositories may modify main and submodule .git directories

Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size

Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display

nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token

MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint

Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions

Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes

Nuclei: Local File Read via require() Module Loader Bypass

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output

Go-Guerrilla SMTP Daemon allows the PROXY command to be sent multiple times

1Panel arbitrary file write vulnerability

Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS

Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets

Singluarity: Incorrect path matching for 'limit container paths' directive

ExternalSecrets vulnerable to privilege escalation with secret overwriting

go-git: Malformed Git object data may cause panics or resource exhaustion

Mattermost doesn't limit the size of the request body on the start meeting API endpoint

Mattermost does not verify remote cluster channel access when processing shared channel membership removals

Mattermost doesn't check public/private permissions

Mattermost doesn't prevent disclosure of created user password

Mattermost doesn't verify channel membership when processing AI-assisted message rewrites

Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint

Mattermost doesn't enforce slash command trigger-word uniqueness during command updates

Start Securing