data/reports: add 16 UNREVIEWED reports
- data/reports/GO-2025-3893.yaml
- data/reports/GO-2025-3894.yaml
- data/reports/GO-2025-3895.yaml
- data/reports/GO-2025-3896.yaml
- data/reports/GO-2025-3897.yaml
- data/reports/GO-2025-3901.yaml
- data/reports/GO-2025-3902.yaml
- data/reports/GO-2025-3903.yaml
- data/reports/GO-2025-3904.yaml
- data/reports/GO-2025-3905.yaml
- data/reports/GO-2025-3906.yaml
- data/reports/GO-2025-3907.yaml
- data/reports/GO-2025-3909.yaml
- data/reports/GO-2025-3910.yaml
- data/reports/GO-2025-3911.yaml
- data/reports/GO-2025-3913.yaml
Fixes golang/vulndb#3893
Fixes golang/vulndb#3894
Fixes golang/vulndb#3895
Fixes golang/vulndb#3896
Fixes golang/vulndb#3897
Fixes golang/vulndb#3901
Fixes golang/vulndb#3902
Fixes golang/vulndb#3903
Fixes golang/vulndb#3904
Fixes golang/vulndb#3905
Fixes golang/vulndb#3906
Fixes golang/vulndb#3907
Fixes golang/vulndb#3909
Fixes golang/vulndb#3910
Fixes golang/vulndb#3911
Fixes golang/vulndb#3913
Change-Id: I19f844e5a2783cc9bc64441139bb9f21710ed50c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/699475
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Ethan Lee <ethanalee@google.com>
diff --git a/data/osv/GO-2025-3893.json b/data/osv/GO-2025-3893.json
new file mode 100644
index 0000000..b1be5a4
--- /dev/null
+++ b/data/osv/GO-2025-3893.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3893",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-55205",
+ "GHSA-fcpm-6mxq-m5vv"
+ ],
+ "summary": "Capsule tenant owners with \"patch namespace\" permission can hijack system namespaces label in github.com/projectcapsule/capsule",
+ "details": "Capsule tenant owners with \"patch namespace\" permission can hijack system namespaces label in github.com/projectcapsule/capsule",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/projectcapsule/capsule",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.10.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-fcpm-6mxq-m5vv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55205"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/projectcapsule/capsule/commit/e1f47feade6e1695b2204407607d07c3b3994f6e"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3893",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3894.json b/data/osv/GO-2025-3894.json
new file mode 100644
index 0000000..31c7c56
--- /dev/null
+++ b/data/osv/GO-2025-3894.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3894",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-55213",
+ "GHSA-mgh9-4mwp-fg55"
+ ],
+ "summary": "OpenFGA Authorization Bypass in github.com/openfga/openfga",
+ "details": "OpenFGA Authorization Bypass in github.com/openfga/openfga",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openfga/openfga",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.9.3"
+ },
+ {
+ "fixed": "1.9.5"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openfga/openfga/security/advisories/GHSA-mgh9-4mwp-fg55"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55213"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openfga/openfga/commit/1a7e0e37fc4777c824b2386cac4867a66f3480b0"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3894",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3895.json b/data/osv/GO-2025-3895.json
new file mode 100644
index 0000000..1d1f337
--- /dev/null
+++ b/data/osv/GO-2025-3895.json
@@ -0,0 +1,61 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3895",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-qp7j-x725-g67f"
+ ],
+ "summary": "HydrAIDE Authentication Bypass Vulnerability in github.com/hydraide/hydraide",
+ "details": "HydrAIDE Authentication Bypass Vulnerability in github.com/hydraide/hydraide.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/hydraide/hydraide from v2.1.1 before v2.2.1.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hydraide/hydraide",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250816184905-1256db38c33c"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.1.1"
+ },
+ {
+ "fixed": "2.2.1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/hydraide/hydraide/security/advisories/GHSA-qp7j-x725-g67f"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hydraide/hydraide/commit/b252554a811400a81951dc9f959b99077f187975#diff-63efbc8179fff403eb5cc642407b33c0fb21aea2c84baaf5e5223f76f5d75f55"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3895",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3896.json b/data/osv/GO-2025-3896.json
new file mode 100644
index 0000000..c1c309e
--- /dev/null
+++ b/data/osv/GO-2025-3896.json
@@ -0,0 +1,48 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3896",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-55740",
+ "GHSA-pr72-8fxw-xx22"
+ ],
+ "summary": "Default Credentials in nginx-defender Configuration Files in github.com/Anipaleja/nginx-defender",
+ "details": "Default Credentials in nginx-defender Configuration Files in github.com/Anipaleja/nginx-defender",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/Anipaleja/nginx-defender",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.5.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/Anipaleja/nginx-defender/security/advisories/GHSA-pr72-8fxw-xx22"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55740"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3896",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3897.json b/data/osv/GO-2025-3897.json
new file mode 100644
index 0000000..483e767
--- /dev/null
+++ b/data/osv/GO-2025-3897.json
@@ -0,0 +1,53 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3897",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4437",
+ "GHSA-8f93-j3fx-72f3"
+ ],
+ "summary": "CRI-O has Potential High Memory Consumption from File Read in github.com/cri-o/cri-o",
+ "details": "CRI-O has Potential High Memory Consumption from File Read in github.com/cri-o/cri-o",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/cri-o/cri-o",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-8f93-j3fx-72f3"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4437"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2025-4437"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2375084"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3897",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3901.json b/data/osv/GO-2025-3901.json
new file mode 100644
index 0000000..6db6e59
--- /dev/null
+++ b/data/osv/GO-2025-3901.json
@@ -0,0 +1,135 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3901",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-36530",
+ "GHSA-gq3r-5833-5532"
+ ],
+ "summary": "Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250619095651-9dd0b3943e55.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.18+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.4+incompatible"
+ },
+ {
+ "introduced": "10.9.0+incompatible"
+ },
+ {
+ "fixed": "10.9.2+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250619095651-9dd0b3943e55"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-gq3r-5833-5532"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36530"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3901",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3902.json b/data/osv/GO-2025-3902.json
new file mode 100644
index 0000000..c9824c8
--- /dev/null
+++ b/data/osv/GO-2025-3902.json
@@ -0,0 +1,112 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3902",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53971",
+ "GHSA-4276-cm8c-788h"
+ ],
+ "summary": "Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.18+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250721095846-c602a4a78e1f"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4276-cm8c-788h"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53971"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3902",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3903.json b/data/osv/GO-2025-3903.json
new file mode 100644
index 0000000..e36ccc9
--- /dev/null
+++ b/data/osv/GO-2025-3903.json
@@ -0,0 +1,106 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3903",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-49810",
+ "GHSA-pwvr-grqg-7vp2"
+ ],
+ "summary": "Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250721095846-c602a4a78e1f"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-pwvr-grqg-7vp2"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49810"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3903",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3904.json b/data/osv/GO-2025-3904.json
new file mode 100644
index 0000000..74ec6fe
--- /dev/null
+++ b/data/osv/GO-2025-3904.json
@@ -0,0 +1,141 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3904",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-49222",
+ "GHSA-q453-638c-h4mr"
+ ],
+ "summary": "Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.18+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.4+incompatible"
+ },
+ {
+ "introduced": "10.9.0+incompatible"
+ },
+ {
+ "fixed": "10.9.3+incompatible"
+ },
+ {
+ "introduced": "10.10.0+incompatible"
+ },
+ {
+ "fixed": "10.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250708173752-d6b35c41f0ae5"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-q453-638c-h4mr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49222"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3904",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3905.json b/data/osv/GO-2025-3905.json
new file mode 100644
index 0000000..9856921
--- /dev/null
+++ b/data/osv/GO-2025-3905.json
@@ -0,0 +1,124 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3905",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-47870",
+ "GHSA-qj47-w9f2-qg44"
+ ],
+ "summary": "Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.18+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.4+incompatible"
+ },
+ {
+ "introduced": "10.9.0+incompatible"
+ },
+ {
+ "fixed": "10.9.3+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250708065844-b38e2eccda18"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-qj47-w9f2-qg44"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47870"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3905",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3906.json b/data/osv/GO-2025-3906.json
new file mode 100644
index 0000000..f78b40e
--- /dev/null
+++ b/data/osv/GO-2025-3906.json
@@ -0,0 +1,106 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3906",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-47700",
+ "GHSA-vqwh-5jhh-vc9p"
+ ],
+ "summary": "Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.10+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250814075248-83a37a861d3c"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-vqwh-5jhh-vc9p"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47700"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3906",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3907.json b/data/osv/GO-2025-3907.json
new file mode 100644
index 0000000..5454420
--- /dev/null
+++ b/data/osv/GO-2025-3907.json
@@ -0,0 +1,124 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3907",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-8023",
+ "GHSA-x67c-v8jr-p29r"
+ ],
+ "summary": "Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.18+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.4+incompatible"
+ },
+ {
+ "introduced": "10.9.0+incompatible"
+ },
+ {
+ "fixed": "10.9.3+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250708065844-b38e2eccda18"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-x67c-v8jr-p29r"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8023"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3907",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3909.json b/data/osv/GO-2025-3909.json
new file mode 100644
index 0000000..d0c3e9e
--- /dev/null
+++ b/data/osv/GO-2025-3909.json
@@ -0,0 +1,45 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3909",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53363",
+ "GHSA-gcqf-pxgg-gw8q"
+ ],
+ "summary": "Dpanel has an arbitrary file read vulnerability in github.com/donknap/dpanel",
+ "details": "Dpanel has an arbitrary file read vulnerability in github.com/donknap/dpanel",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/donknap/dpanel",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.2.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53363"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3909",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3910.json b/data/osv/GO-2025-3910.json
new file mode 100644
index 0000000..7a3eb83
--- /dev/null
+++ b/data/osv/GO-2025-3910.json
@@ -0,0 +1,135 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3910",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-6465",
+ "GHSA-pj6f-rc94-gw53"
+ ],
+ "summary": "Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.4+incompatible"
+ },
+ {
+ "introduced": "10.9.0+incompatible"
+ },
+ {
+ "fixed": "10.9.4+incompatible"
+ },
+ {
+ "introduced": "10.10.0+incompatible"
+ },
+ {
+ "fixed": "10.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250708173752-d6b35c41f0ae5"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-pj6f-rc94-gw53"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6465"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3910",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3911.json b/data/osv/GO-2025-3911.json
new file mode 100644
index 0000000..eed0072
--- /dev/null
+++ b/data/osv/GO-2025-3911.json
@@ -0,0 +1,141 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3911",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-8402",
+ "GHSA-h469-4fcf-p23h"
+ ],
+ "summary": "Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server",
+ "details": "Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.18+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.9+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.4+incompatible"
+ },
+ {
+ "introduced": "10.9.0+incompatible"
+ },
+ {
+ "fixed": "10.9.4+incompatible"
+ },
+ {
+ "introduced": "10.10.0+incompatible"
+ },
+ {
+ "fixed": "10.10.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250708173752-d6b35c41f0ae5"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-h469-4fcf-p23h"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8402"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3911",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3913.json b/data/osv/GO-2025-3913.json
new file mode 100644
index 0000000..73743a3
--- /dev/null
+++ b/data/osv/GO-2025-3913.json
@@ -0,0 +1,71 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3913",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-57813",
+ "GHSA-27r7-3m9x-r533"
+ ],
+ "summary": "traQ Allows Insertion of Sensitive Information into Log File in github.com/traPtitech/traQ",
+ "details": "traQ Allows Insertion of Sensitive Information into Log File in github.com/traPtitech/traQ.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/traPtitech/traQ before v3.25.0.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/traPtitech/traQ",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.25.0"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/traPtitech/traQ/security/advisories/GHSA-27r7-3m9x-r533"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57813"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/traPtitech/traQ/commit/ce5da94f5d5a8348f9ecdc82140b6f53b3721698"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/traPtitech/traQ/pull/2787"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/traPtitech/traQ/pull/2788"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3913",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3893.yaml b/data/reports/GO-2025-3893.yaml
new file mode 100644
index 0000000..820e1c4
--- /dev/null
+++ b/data/reports/GO-2025-3893.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3893
+modules:
+ - module: github.com/projectcapsule/capsule
+ versions:
+ - fixed: 0.10.4
+ vulnerable_at: 0.10.3
+summary: |-
+ Capsule tenant owners with "patch namespace" permission can hijack system
+ namespaces label in github.com/projectcapsule/capsule
+cves:
+ - CVE-2025-55205
+ghsas:
+ - GHSA-fcpm-6mxq-m5vv
+references:
+ - advisory: https://github.com/projectcapsule/capsule/security/advisories/GHSA-fcpm-6mxq-m5vv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55205
+ - fix: https://github.com/projectcapsule/capsule/commit/e1f47feade6e1695b2204407607d07c3b3994f6e
+source:
+ id: GHSA-fcpm-6mxq-m5vv
+ created: 2025-08-27T18:27:42.669526673Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3894.yaml b/data/reports/GO-2025-3894.yaml
new file mode 100644
index 0000000..4203958
--- /dev/null
+++ b/data/reports/GO-2025-3894.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3894
+modules:
+ - module: github.com/openfga/openfga
+ versions:
+ - introduced: 1.9.3
+ - fixed: 1.9.5
+ vulnerable_at: 1.9.4
+summary: OpenFGA Authorization Bypass in github.com/openfga/openfga
+cves:
+ - CVE-2025-55213
+ghsas:
+ - GHSA-mgh9-4mwp-fg55
+references:
+ - advisory: https://github.com/openfga/openfga/security/advisories/GHSA-mgh9-4mwp-fg55
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55213
+ - fix: https://github.com/openfga/openfga/commit/1a7e0e37fc4777c824b2386cac4867a66f3480b0
+source:
+ id: GHSA-mgh9-4mwp-fg55
+ created: 2025-08-27T18:27:37.898853618Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3895.yaml b/data/reports/GO-2025-3895.yaml
new file mode 100644
index 0000000..fe21950
--- /dev/null
+++ b/data/reports/GO-2025-3895.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3895
+modules:
+ - module: github.com/hydraide/hydraide
+ versions:
+ - fixed: 0.0.0-20250816184905-1256db38c33c
+ non_go_versions:
+ - introduced: 2.1.1
+ - fixed: 2.2.1
+summary: HydrAIDE Authentication Bypass Vulnerability in github.com/hydraide/hydraide
+ghsas:
+ - GHSA-qp7j-x725-g67f
+references:
+ - advisory: https://github.com/hydraide/hydraide/security/advisories/GHSA-qp7j-x725-g67f
+ - fix: https://github.com/hydraide/hydraide/commit/b252554a811400a81951dc9f959b99077f187975#diff-63efbc8179fff403eb5cc642407b33c0fb21aea2c84baaf5e5223f76f5d75f55
+notes:
+ - fix: 'github.com/hydraide/hydraide: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-qp7j-x725-g67f
+ created: 2025-08-27T18:27:32.143997228Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3896.yaml b/data/reports/GO-2025-3896.yaml
new file mode 100644
index 0000000..c502958
--- /dev/null
+++ b/data/reports/GO-2025-3896.yaml
@@ -0,0 +1,18 @@
+id: GO-2025-3896
+modules:
+ - module: github.com/Anipaleja/nginx-defender
+ versions:
+ - fixed: 1.5.0
+ vulnerable_at: 1.4.2
+summary: Default Credentials in nginx-defender Configuration Files in github.com/Anipaleja/nginx-defender
+cves:
+ - CVE-2025-55740
+ghsas:
+ - GHSA-pr72-8fxw-xx22
+references:
+ - advisory: https://github.com/Anipaleja/nginx-defender/security/advisories/GHSA-pr72-8fxw-xx22
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55740
+source:
+ id: GHSA-pr72-8fxw-xx22
+ created: 2025-08-27T18:27:29.155238235Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3897.yaml b/data/reports/GO-2025-3897.yaml
new file mode 100644
index 0000000..1ccee3d
--- /dev/null
+++ b/data/reports/GO-2025-3897.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3897
+modules:
+ - module: github.com/cri-o/cri-o
+ unsupported_versions:
+ - last_affected: 1.33.3
+ vulnerable_at: 1.33.3
+summary: CRI-O has Potential High Memory Consumption from File Read in github.com/cri-o/cri-o
+cves:
+ - CVE-2025-4437
+ghsas:
+ - GHSA-8f93-j3fx-72f3
+references:
+ - advisory: https://github.com/advisories/GHSA-8f93-j3fx-72f3
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4437
+ - web: https://access.redhat.com/security/cve/CVE-2025-4437
+ - web: https://bugzilla.redhat.com/show_bug.cgi?id=2375084
+source:
+ id: GHSA-8f93-j3fx-72f3
+ created: 2025-08-27T18:27:22.300373695Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3901.yaml b/data/reports/GO-2025-3901.yaml
new file mode 100644
index 0000000..3051e8d
--- /dev/null
+++ b/data/reports/GO-2025-3901.yaml
@@ -0,0 +1,34 @@
+id: GO-2025-3901
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.18+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.4+incompatible
+ - introduced: 10.9.0+incompatible
+ - fixed: 10.9.2+incompatible
+ vulnerable_at: 10.9.2-rc1+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ non_go_versions:
+ - fixed: 8.0.0-20250619095651-9dd0b3943e55
+ vulnerable_at: 8.0.0-20250827163812-93ebaf3d9fda
+summary: Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-36530
+ghsas:
+ - GHSA-gq3r-5833-5532
+references:
+ - advisory: https://github.com/advisories/GHSA-gq3r-5833-5532
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-36530
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-gq3r-5833-5532
+ created: 2025-08-27T18:27:04.904444857Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3902.yaml b/data/reports/GO-2025-3902.yaml
new file mode 100644
index 0000000..7ef48ed
--- /dev/null
+++ b/data/reports/GO-2025-3902.yaml
@@ -0,0 +1,31 @@
+id: GO-2025-3902
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.18+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ vulnerable_at: 10.5.9-rc4+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250721095846-c602a4a78e1f
+summary: Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-53971
+ghsas:
+ - GHSA-4276-cm8c-788h
+references:
+ - advisory: https://github.com/advisories/GHSA-4276-cm8c-788h
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53971
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-4276-cm8c-788h
+ created: 2025-08-27T18:27:00.369739616Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3903.yaml b/data/reports/GO-2025-3903.yaml
new file mode 100644
index 0000000..caf5e57
--- /dev/null
+++ b/data/reports/GO-2025-3903.yaml
@@ -0,0 +1,29 @@
+id: GO-2025-3903
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ vulnerable_at: 10.5.9-rc4+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250721095846-c602a4a78e1f
+summary: Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-49810
+ghsas:
+ - GHSA-pwvr-grqg-7vp2
+references:
+ - advisory: https://github.com/advisories/GHSA-pwvr-grqg-7vp2
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-49810
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-pwvr-grqg-7vp2
+ created: 2025-08-27T18:26:54.966925772Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3904.yaml b/data/reports/GO-2025-3904.yaml
new file mode 100644
index 0000000..1ebf962
--- /dev/null
+++ b/data/reports/GO-2025-3904.yaml
@@ -0,0 +1,36 @@
+id: GO-2025-3904
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.18+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.4+incompatible
+ - introduced: 10.9.0+incompatible
+ - fixed: 10.9.3+incompatible
+ - introduced: 10.10.0+incompatible
+ - fixed: 10.10.1+incompatible
+ vulnerable_at: 10.10.1-rc1+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ non_go_versions:
+ - fixed: 8.0.0-20250708173752-d6b35c41f0ae5
+ vulnerable_at: 8.0.0-20250827163812-93ebaf3d9fda
+summary: Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-49222
+ghsas:
+ - GHSA-q453-638c-h4mr
+references:
+ - advisory: https://github.com/advisories/GHSA-q453-638c-h4mr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-49222
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-q453-638c-h4mr
+ created: 2025-08-27T18:25:54.779966338Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3905.yaml b/data/reports/GO-2025-3905.yaml
new file mode 100644
index 0000000..c4f3a85
--- /dev/null
+++ b/data/reports/GO-2025-3905.yaml
@@ -0,0 +1,35 @@
+id: GO-2025-3905
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.18+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.4+incompatible
+ - introduced: 10.9.0+incompatible
+ - fixed: 10.9.3+incompatible
+ vulnerable_at: 10.9.3-rc4+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250708065844-b38e2eccda18
+summary: Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-47870
+ghsas:
+ - GHSA-qj47-w9f2-qg44
+references:
+ - advisory: https://github.com/advisories/GHSA-qj47-w9f2-qg44
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47870
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-qj47-w9f2-qg44
+ created: 2025-08-27T18:25:50.704724669Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3906.yaml b/data/reports/GO-2025-3906.yaml
new file mode 100644
index 0000000..bdf0187
--- /dev/null
+++ b/data/reports/GO-2025-3906.yaml
@@ -0,0 +1,29 @@
+id: GO-2025-3906
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.10+incompatible
+ vulnerable_at: 10.5.10-rc2+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250814075248-83a37a861d3c
+summary: Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-47700
+ghsas:
+ - GHSA-vqwh-5jhh-vc9p
+references:
+ - advisory: https://github.com/advisories/GHSA-vqwh-5jhh-vc9p
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47700
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-vqwh-5jhh-vc9p
+ created: 2025-08-27T18:25:46.384607254Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3907.yaml b/data/reports/GO-2025-3907.yaml
new file mode 100644
index 0000000..019c0e8
--- /dev/null
+++ b/data/reports/GO-2025-3907.yaml
@@ -0,0 +1,35 @@
+id: GO-2025-3907
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.18+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.4+incompatible
+ - introduced: 10.9.0+incompatible
+ - fixed: 10.9.3+incompatible
+ vulnerable_at: 10.9.3-rc4+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250708065844-b38e2eccda18
+summary: Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-8023
+ghsas:
+ - GHSA-x67c-v8jr-p29r
+references:
+ - advisory: https://github.com/advisories/GHSA-x67c-v8jr-p29r
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-8023
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-x67c-v8jr-p29r
+ created: 2025-08-27T18:25:41.806909761Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3909.yaml b/data/reports/GO-2025-3909.yaml
new file mode 100644
index 0000000..ab36692
--- /dev/null
+++ b/data/reports/GO-2025-3909.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3909
+modules:
+ - module: github.com/donknap/dpanel
+ versions:
+ - introduced: 1.2.0
+ unsupported_versions:
+ - last_affected: 1.7.2
+ vulnerable_at: 1.8.1
+summary: Dpanel has an arbitrary file read vulnerability in github.com/donknap/dpanel
+cves:
+ - CVE-2025-53363
+ghsas:
+ - GHSA-gcqf-pxgg-gw8q
+references:
+ - advisory: https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53363
+source:
+ id: GHSA-gcqf-pxgg-gw8q
+ created: 2025-08-27T18:25:37.905610722Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3910.yaml b/data/reports/GO-2025-3910.yaml
new file mode 100644
index 0000000..27cec0a
--- /dev/null
+++ b/data/reports/GO-2025-3910.yaml
@@ -0,0 +1,34 @@
+id: GO-2025-3910
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.4+incompatible
+ - introduced: 10.9.0+incompatible
+ - fixed: 10.9.4+incompatible
+ - introduced: 10.10.0+incompatible
+ - fixed: 10.10.1+incompatible
+ vulnerable_at: 10.10.1-rc1+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ non_go_versions:
+ - fixed: 8.0.0-20250708173752-d6b35c41f0ae5
+ vulnerable_at: 8.0.0-20250827163812-93ebaf3d9fda
+summary: Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-6465
+ghsas:
+ - GHSA-pj6f-rc94-gw53
+references:
+ - advisory: https://github.com/advisories/GHSA-pj6f-rc94-gw53
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6465
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-pj6f-rc94-gw53
+ created: 2025-08-27T18:25:33.703497476Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3911.yaml b/data/reports/GO-2025-3911.yaml
new file mode 100644
index 0000000..de37c63
--- /dev/null
+++ b/data/reports/GO-2025-3911.yaml
@@ -0,0 +1,36 @@
+id: GO-2025-3911
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.18+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.9+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.4+incompatible
+ - introduced: 10.9.0+incompatible
+ - fixed: 10.9.4+incompatible
+ - introduced: 10.10.0+incompatible
+ - fixed: 10.10.1+incompatible
+ vulnerable_at: 10.10.1-rc1+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ non_go_versions:
+ - fixed: 8.0.0-20250708173752-d6b35c41f0ae5
+ vulnerable_at: 8.0.0-20250827163812-93ebaf3d9fda
+summary: Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-8402
+ghsas:
+ - GHSA-h469-4fcf-p23h
+references:
+ - advisory: https://github.com/advisories/GHSA-h469-4fcf-p23h
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-8402
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-h469-4fcf-p23h
+ created: 2025-08-27T18:24:16.454490542Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3913.yaml b/data/reports/GO-2025-3913.yaml
new file mode 100644
index 0000000..27f84fc
--- /dev/null
+++ b/data/reports/GO-2025-3913.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3913
+modules:
+ - module: github.com/traPtitech/traQ
+ non_go_versions:
+ - fixed: 3.25.0
+ vulnerable_at: 1.0.0-rc.2
+summary: traQ Allows Insertion of Sensitive Information into Log File in github.com/traPtitech/traQ
+cves:
+ - CVE-2025-57813
+ghsas:
+ - GHSA-27r7-3m9x-r533
+references:
+ - advisory: https://github.com/traPtitech/traQ/security/advisories/GHSA-27r7-3m9x-r533
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-57813
+ - fix: https://github.com/traPtitech/traQ/commit/ce5da94f5d5a8348f9ecdc82140b6f53b3721698
+ - fix: https://github.com/traPtitech/traQ/pull/2787
+ - fix: https://github.com/traPtitech/traQ/pull/2788
+source:
+ id: GHSA-27r7-3m9x-r533
+ created: 2025-08-27T18:24:01.710841737Z
+review_status: UNREVIEWED
