data/reports: add 15 reports
- data/reports/GO-2025-3962.yaml
- data/reports/GO-2025-3963.yaml
- data/reports/GO-2025-3964.yaml
- data/reports/GO-2025-3965.yaml
- data/reports/GO-2025-3966.yaml
- data/reports/GO-2025-3967.yaml
- data/reports/GO-2025-3968.yaml
- data/reports/GO-2025-3969.yaml
- data/reports/GO-2025-3970.yaml
- data/reports/GO-2025-3971.yaml
- data/reports/GO-2025-3972.yaml
- data/reports/GO-2025-3973.yaml
- data/reports/GO-2025-3974.yaml
- data/reports/GO-2025-3976.yaml
- data/reports/GO-2025-3977.yaml
Fixes golang/vulndb#3962
Fixes golang/vulndb#3963
Fixes golang/vulndb#3964
Fixes golang/vulndb#3965
Fixes golang/vulndb#3966
Fixes golang/vulndb#3967
Fixes golang/vulndb#3968
Fixes golang/vulndb#3969
Fixes golang/vulndb#3970
Fixes golang/vulndb#3971
Fixes golang/vulndb#3972
Fixes golang/vulndb#3973
Fixes golang/vulndb#3974
Fixes golang/vulndb#3976
Fixes golang/vulndb#3977
Change-Id: I9e030aae978bf9dbd3e83871c1bfa00ee0f3e1df
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/705856
Reviewed-by: Markus Kusano <kusano@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Ethan Lee <ethanalee@google.com>
diff --git a/data/osv/GO-2025-3962.json b/data/osv/GO-2025-3962.json
new file mode 100644
index 0000000..42da63e
--- /dev/null
+++ b/data/osv/GO-2025-3962.json
@@ -0,0 +1,53 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3962",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59341",
+ "GHSA-49pv-gwxp-532r"
+ ],
+ "summary": "esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh",
+ "details": "esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/esm-dev/esm.sh",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59341"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/esm-dev/esm.sh/commit/492de92850dd4d350c8b299af541f87541e58a45"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3962",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3963.json b/data/osv/GO-2025-3963.json
new file mode 100644
index 0000000..909ba7d
--- /dev/null
+++ b/data/osv/GO-2025-3963.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3963",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59348",
+ "GHSA-2qgr-gfvj-qpcr"
+ ],
+ "summary": "Dragonfly incorrectly handles a task structure’s usedTrac field in d7y.io/dragonfly",
+ "details": "Dragonfly incorrectly handles a task structure’s usedTrac field in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-2qgr-gfvj-qpcr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59348"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3963",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3964.json b/data/osv/GO-2025-3964.json
new file mode 100644
index 0000000..a0f3138
--- /dev/null
+++ b/data/osv/GO-2025-3964.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3964",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59349",
+ "GHSA-8425-8r2f-mrv6"
+ ],
+ "summary": "Dragonfly's directories created via os.MkdirAll are not checked for permissions in d7y.io/dragonfly",
+ "details": "Dragonfly's directories created via os.MkdirAll are not checked for permissions in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59349"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3964",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3965.json b/data/osv/GO-2025-3965.json
new file mode 100644
index 0000000..c6cf465
--- /dev/null
+++ b/data/osv/GO-2025-3965.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3965",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59345",
+ "GHSA-89vc-vf32-ch59"
+ ],
+ "summary": "Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly",
+ "details": "Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-89vc-vf32-ch59"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59345"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3965",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3966.json b/data/osv/GO-2025-3966.json
new file mode 100644
index 0000000..ff6e2ae
--- /dev/null
+++ b/data/osv/GO-2025-3966.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3966",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59347",
+ "GHSA-98x5-jw98-6c97"
+ ],
+ "summary": "Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly",
+ "details": "Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59347"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3966",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3967.json b/data/osv/GO-2025-3967.json
new file mode 100644
index 0000000..2cd2475
--- /dev/null
+++ b/data/osv/GO-2025-3967.json
@@ -0,0 +1,57 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3967",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59342",
+ "GHSA-g2h5-cvvr-7gmw"
+ ],
+ "summary": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh",
+ "details": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/esm-dev/esm.sh",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59342"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3967",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3968.json b/data/osv/GO-2025-3968.json
new file mode 100644
index 0000000..2ffd735
--- /dev/null
+++ b/data/osv/GO-2025-3968.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3968",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59346",
+ "GHSA-g2rq-jv54-wcpr"
+ ],
+ "summary": "Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly",
+ "details": "Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-g2rq-jv54-wcpr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59346"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3968",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3969.json b/data/osv/GO-2025-3969.json
new file mode 100644
index 0000000..9761143
--- /dev/null
+++ b/data/osv/GO-2025-3969.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3969",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59353",
+ "GHSA-255v-qv84-29p5"
+ ],
+ "summary": "DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly",
+ "details": "DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-255v-qv84-29p5"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59353"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3969",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3970.json b/data/osv/GO-2025-3970.json
new file mode 100644
index 0000000..05176f3
--- /dev/null
+++ b/data/osv/GO-2025-3970.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3970",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59351",
+ "GHSA-4mhv-8rh3-4ghw"
+ ],
+ "summary": "DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error in d7y.io/dragonfly",
+ "details": "DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-4mhv-8rh3-4ghw"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59351"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3970",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3971.json b/data/osv/GO-2025-3971.json
new file mode 100644
index 0000000..5f63779
--- /dev/null
+++ b/data/osv/GO-2025-3971.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3971",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59352",
+ "GHSA-79hx-3fp8-hj66"
+ ],
+ "summary": "DragonFly vulnerable to arbitrary file read and write on a peer machine in d7y.io/dragonfly",
+ "details": "DragonFly vulnerable to arbitrary file read and write on a peer machine in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59352"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3971",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3972.json b/data/osv/GO-2025-3972.json
new file mode 100644
index 0000000..51cbafd
--- /dev/null
+++ b/data/osv/GO-2025-3972.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3972",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59350",
+ "GHSA-c2fc-9q9c-5486"
+ ],
+ "summary": "Dragonfly vulnerable to timing attacks against Proxy’s basic authentication in d7y.io/dragonfly",
+ "details": "Dragonfly vulnerable to timing attacks against Proxy’s basic authentication in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-c2fc-9q9c-5486"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59350"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3972",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3973.json b/data/osv/GO-2025-3973.json
new file mode 100644
index 0000000..24cb943
--- /dev/null
+++ b/data/osv/GO-2025-3973.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3973",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59354",
+ "GHSA-hx2h-vjw2-8r54"
+ ],
+ "summary": "DragonFly has weak integrity checks for downloaded files in d7y.io/dragonfly",
+ "details": "DragonFly has weak integrity checks for downloaded files in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-hx2h-vjw2-8r54"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59354"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3973",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3974.json b/data/osv/GO-2025-3974.json
new file mode 100644
index 0000000..d7739b7
--- /dev/null
+++ b/data/osv/GO-2025-3974.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3974",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59410",
+ "GHSA-mcvp-rpgg-9273"
+ ],
+ "summary": "DragonFly's tiny file download uses hard coded HTTP protocol in d7y.io/dragonfly",
+ "details": "DragonFly's tiny file download uses hard coded HTTP protocol in d7y.io/dragonfly",
+ "affected": [
+ {
+ "package": {
+ "name": "d7y.io/dragonfly/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/dragonflyoss/dragonfly",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-mcvp-rpgg-9273"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59410"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3974",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3976.json b/data/osv/GO-2025-3976.json
new file mode 100644
index 0000000..ca65666
--- /dev/null
+++ b/data/osv/GO-2025-3976.json
@@ -0,0 +1,67 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3976",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-10630",
+ "GHSA-g4rr-88fc-26fj"
+ ],
+ "summary": "Grafana-Zabbix ReDoS vulnerability in github.com/alexanderzobnin/grafana-zabbix",
+ "details": "Grafana-Zabbix ReDoS vulnerability in github.com/alexanderzobnin/grafana-zabbix.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/alexanderzobnin/grafana-zabbix before v6.0.0.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/alexanderzobnin/grafana-zabbix",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "6.0.0"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-g4rr-88fc-26fj"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10630"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/grafana/grafana-zabbix/releases/tag/v6.0.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://grafana.com/security/security-advisories/cve-2025-10630"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3976",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3977.json b/data/osv/GO-2025-3977.json
new file mode 100644
index 0000000..123dfa0
--- /dev/null
+++ b/data/osv/GO-2025-3977.json
@@ -0,0 +1,154 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3977",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-9079",
+ "GHSA-qx3f-6vq3-8j8m"
+ ],
+ "summary": "Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.18+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.4+incompatible"
+ },
+ {
+ "introduced": "10.9.0+incompatible"
+ },
+ {
+ "fixed": "10.9.4+incompatible"
+ },
+ {
+ "introduced": "10.10.0+incompatible"
+ },
+ {
+ "fixed": "10.10.2+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250707221302-a8fa77f107ef"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-qx3f-6vq3-8j8m"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9079"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/047a2c64071749367fe02d2162f6103a3d31a883"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/439464883aa16a329c23cd6274c4cca7e88e238f"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/4ff68eea0a3f3777032d31a1a82f4b1fb492a1ac"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/96665b9b98a17534fcd515982a2eb26950581e41"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/a8fa77f107efe83f09a779f8e67cbecf236b0032"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/b38e2eccda182212a8032539658723c7d87e0b7e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3977",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3962.yaml b/data/reports/GO-2025-3962.yaml
new file mode 100644
index 0000000..d78a305
--- /dev/null
+++ b/data/reports/GO-2025-3962.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3962
+modules:
+ - module: github.com/esm-dev/esm.sh
+ unsupported_versions:
+ - last_affected: 136.0.0
+ vulnerable_at: 0.0.0-20250920062728-5cc3937618bd
+summary: esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh
+cves:
+ - CVE-2025-59341
+ghsas:
+ - GHSA-49pv-gwxp-532r
+references:
+ - advisory: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59341
+ - fix: https://github.com/esm-dev/esm.sh/commit/492de92850dd4d350c8b299af541f87541e58a45
+ - web: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168
+source:
+ id: GHSA-49pv-gwxp-532r
+ created: 2025-09-22T17:59:12.247720353Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3963.yaml b/data/reports/GO-2025-3963.yaml
new file mode 100644
index 0000000..4619620
--- /dev/null
+++ b/data/reports/GO-2025-3963.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3963
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: Dragonfly incorrectly handles a task structure’s usedTrac field in d7y.io/dragonfly
+cves:
+ - CVE-2025-59348
+ghsas:
+ - GHSA-2qgr-gfvj-qpcr
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-2qgr-gfvj-qpcr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59348
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-2qgr-gfvj-qpcr
+ created: 2025-09-22T17:59:08.102429153Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3964.yaml b/data/reports/GO-2025-3964.yaml
new file mode 100644
index 0000000..438b726
--- /dev/null
+++ b/data/reports/GO-2025-3964.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3964
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: Dragonfly's directories created via os.MkdirAll are not checked for permissions in d7y.io/dragonfly
+cves:
+ - CVE-2025-59349
+ghsas:
+ - GHSA-8425-8r2f-mrv6
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59349
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-8425-8r2f-mrv6
+ created: 2025-09-22T17:59:03.778281644Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3965.yaml b/data/reports/GO-2025-3965.yaml
new file mode 100644
index 0000000..d6d9062
--- /dev/null
+++ b/data/reports/GO-2025-3965.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3965
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly
+cves:
+ - CVE-2025-59345
+ghsas:
+ - GHSA-89vc-vf32-ch59
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-89vc-vf32-ch59
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59345
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-89vc-vf32-ch59
+ created: 2025-09-22T17:58:59.438048462Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3966.yaml b/data/reports/GO-2025-3966.yaml
new file mode 100644
index 0000000..f67487c
--- /dev/null
+++ b/data/reports/GO-2025-3966.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3966
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: |-
+ Dragonfly's manager makes requests to external endpoints with disabled TLS
+ authentication in d7y.io/dragonfly
+cves:
+ - CVE-2025-59347
+ghsas:
+ - GHSA-98x5-jw98-6c97
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59347
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-98x5-jw98-6c97
+ created: 2025-09-22T17:58:54.981502665Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3967.yaml b/data/reports/GO-2025-3967.yaml
new file mode 100644
index 0000000..c8e9b65
--- /dev/null
+++ b/data/reports/GO-2025-3967.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3967
+modules:
+ - module: github.com/esm-dev/esm.sh
+ unsupported_versions:
+ - last_affected: 136.0.0
+ vulnerable_at: 0.0.0-20250920062728-5cc3937618bd
+summary: esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh
+cves:
+ - CVE-2025-59342
+ghsas:
+ - GHSA-g2h5-cvvr-7gmw
+references:
+ - advisory: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59342
+ - fix: https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151
+ - web: https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116
+ - web: https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
+source:
+ id: GHSA-g2h5-cvvr-7gmw
+ created: 2025-09-22T17:58:37.914893705Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3968.yaml b/data/reports/GO-2025-3968.yaml
new file mode 100644
index 0000000..5afacff
--- /dev/null
+++ b/data/reports/GO-2025-3968.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3968
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly
+cves:
+ - CVE-2025-59346
+ghsas:
+ - GHSA-g2rq-jv54-wcpr
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-g2rq-jv54-wcpr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59346
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-g2rq-jv54-wcpr
+ created: 2025-09-22T17:58:32.57024762Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3969.yaml b/data/reports/GO-2025-3969.yaml
new file mode 100644
index 0000000..f9cba25
--- /dev/null
+++ b/data/reports/GO-2025-3969.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3969
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly
+cves:
+ - CVE-2025-59353
+ghsas:
+ - GHSA-255v-qv84-29p5
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-255v-qv84-29p5
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59353
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-255v-qv84-29p5
+ created: 2025-09-22T17:58:28.421515529Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3970.yaml b/data/reports/GO-2025-3970.yaml
new file mode 100644
index 0000000..c614caf
--- /dev/null
+++ b/data/reports/GO-2025-3970.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3970
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: |-
+ DragonFly vulnerable to panics due to nil pointer dereference when using
+ variables created alongside an error in d7y.io/dragonfly
+cves:
+ - CVE-2025-59351
+ghsas:
+ - GHSA-4mhv-8rh3-4ghw
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-4mhv-8rh3-4ghw
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59351
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-4mhv-8rh3-4ghw
+ created: 2025-09-22T17:58:24.341777809Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3971.yaml b/data/reports/GO-2025-3971.yaml
new file mode 100644
index 0000000..ec6c160
--- /dev/null
+++ b/data/reports/GO-2025-3971.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3971
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: DragonFly vulnerable to arbitrary file read and write on a peer machine in d7y.io/dragonfly
+cves:
+ - CVE-2025-59352
+ghsas:
+ - GHSA-79hx-3fp8-hj66
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59352
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-79hx-3fp8-hj66
+ created: 2025-09-22T17:58:20.233600842Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3972.yaml b/data/reports/GO-2025-3972.yaml
new file mode 100644
index 0000000..668b722
--- /dev/null
+++ b/data/reports/GO-2025-3972.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3972
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: Dragonfly vulnerable to timing attacks against Proxy’s basic authentication in d7y.io/dragonfly
+cves:
+ - CVE-2025-59350
+ghsas:
+ - GHSA-c2fc-9q9c-5486
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-c2fc-9q9c-5486
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59350
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-c2fc-9q9c-5486
+ created: 2025-09-22T17:58:16.184578967Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3973.yaml b/data/reports/GO-2025-3973.yaml
new file mode 100644
index 0000000..3a23bed
--- /dev/null
+++ b/data/reports/GO-2025-3973.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3973
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: DragonFly has weak integrity checks for downloaded files in d7y.io/dragonfly
+cves:
+ - CVE-2025-59354
+ghsas:
+ - GHSA-hx2h-vjw2-8r54
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-hx2h-vjw2-8r54
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59354
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-hx2h-vjw2-8r54
+ created: 2025-09-22T17:58:11.820530841Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3974.yaml b/data/reports/GO-2025-3974.yaml
new file mode 100644
index 0000000..23800c0
--- /dev/null
+++ b/data/reports/GO-2025-3974.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3974
+modules:
+ - module: d7y.io/dragonfly/v2
+ versions:
+ - fixed: 2.1.0
+ vulnerable_at: 2.1.0-rc.0
+ - module: github.com/dragonflyoss/dragonfly
+ vulnerable_at: 1.0.6
+summary: DragonFly's tiny file download uses hard coded HTTP protocol in d7y.io/dragonfly
+cves:
+ - CVE-2025-59410
+ghsas:
+ - GHSA-mcvp-rpgg-9273
+references:
+ - advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-mcvp-rpgg-9273
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59410
+ - web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
+source:
+ id: GHSA-mcvp-rpgg-9273
+ created: 2025-09-22T17:58:02.627933333Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3976.yaml b/data/reports/GO-2025-3976.yaml
new file mode 100644
index 0000000..779d989
--- /dev/null
+++ b/data/reports/GO-2025-3976.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3976
+modules:
+ - module: github.com/alexanderzobnin/grafana-zabbix
+ non_go_versions:
+ - fixed: 6.0.0
+ vulnerable_at: 3.12.4+incompatible
+summary: Grafana-Zabbix ReDoS vulnerability in github.com/alexanderzobnin/grafana-zabbix
+cves:
+ - CVE-2025-10630
+ghsas:
+ - GHSA-g4rr-88fc-26fj
+references:
+ - advisory: https://github.com/advisories/GHSA-g4rr-88fc-26fj
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-10630
+ - web: https://github.com/grafana/grafana-zabbix/releases/tag/v6.0.0
+ - web: https://grafana.com/security/security-advisories/cve-2025-10630
+source:
+ id: GHSA-g4rr-88fc-26fj
+ created: 2025-09-22T17:57:55.090710583Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3977.yaml b/data/reports/GO-2025-3977.yaml
new file mode 100644
index 0000000..8bc365e
--- /dev/null
+++ b/data/reports/GO-2025-3977.yaml
@@ -0,0 +1,43 @@
+id: GO-2025-3977
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.18+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.4+incompatible
+ - introduced: 10.9.0+incompatible
+ - fixed: 10.9.4+incompatible
+ - introduced: 10.10.0+incompatible
+ - fixed: 10.10.2+incompatible
+ vulnerable_at: 10.10.2-rc4+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250707221302-a8fa77f107ef
+summary: Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-9079
+ghsas:
+ - GHSA-qx3f-6vq3-8j8m
+references:
+ - advisory: https://github.com/advisories/GHSA-qx3f-6vq3-8j8m
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-9079
+ - web: https://github.com/mattermost/mattermost/commit/047a2c64071749367fe02d2162f6103a3d31a883
+ - web: https://github.com/mattermost/mattermost/commit/439464883aa16a329c23cd6274c4cca7e88e238f
+ - web: https://github.com/mattermost/mattermost/commit/4ff68eea0a3f3777032d31a1a82f4b1fb492a1ac
+ - web: https://github.com/mattermost/mattermost/commit/96665b9b98a17534fcd515982a2eb26950581e41
+ - web: https://github.com/mattermost/mattermost/commit/a8fa77f107efe83f09a779f8e67cbecf236b0032
+ - web: https://github.com/mattermost/mattermost/commit/b38e2eccda182212a8032539658723c7d87e0b7e
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-qx3f-6vq3-8j8m
+ created: 2025-09-22T17:56:58.664523111Z
+review_status: UNREVIEWED
