data/reports: add 44 reports
- data/reports/GO-2025-3758.yaml
- data/reports/GO-2025-3762.yaml
- data/reports/GO-2025-3763.yaml
- data/reports/GO-2025-3766.yaml
- data/reports/GO-2025-3767.yaml
- data/reports/GO-2025-3768.yaml
- data/reports/GO-2025-3769.yaml
- data/reports/GO-2025-3771.yaml
- data/reports/GO-2025-3772.yaml
- data/reports/GO-2025-3773.yaml
- data/reports/GO-2025-3774.yaml
- data/reports/GO-2025-3776.yaml
- data/reports/GO-2025-3777.yaml
- data/reports/GO-2025-3778.yaml
- data/reports/GO-2025-3779.yaml
- data/reports/GO-2025-3780.yaml
- data/reports/GO-2025-3781.yaml
- data/reports/GO-2025-3782.yaml
- data/reports/GO-2025-3783.yaml
- data/reports/GO-2025-3784.yaml
- data/reports/GO-2025-3785.yaml
- data/reports/GO-2025-3786.yaml
- data/reports/GO-2025-3788.yaml
- data/reports/GO-2025-3789.yaml
- data/reports/GO-2025-3790.yaml
- data/reports/GO-2025-3791.yaml
- data/reports/GO-2025-3792.yaml
- data/reports/GO-2025-3793.yaml
- data/reports/GO-2025-3794.yaml
- data/reports/GO-2025-3795.yaml
- data/reports/GO-2025-3796.yaml
- data/reports/GO-2025-3797.yaml
- data/reports/GO-2025-3799.yaml
- data/reports/GO-2025-3800.yaml
- data/reports/GO-2025-3801.yaml
- data/reports/GO-2025-3804.yaml
- data/reports/GO-2025-3805.yaml
- data/reports/GO-2025-3806.yaml
- data/reports/GO-2025-3807.yaml
- data/reports/GO-2025-3808.yaml
- data/reports/GO-2025-3809.yaml
- data/reports/GO-2025-3810.yaml
- data/reports/GO-2025-3811.yaml
- data/reports/GO-2025-3812.yaml
Fixes golang/vulndb#3758
Fixes golang/vulndb#3762
Fixes golang/vulndb#3763
Fixes golang/vulndb#3766
Fixes golang/vulndb#3767
Fixes golang/vulndb#3768
Fixes golang/vulndb#3769
Fixes golang/vulndb#3771
Fixes golang/vulndb#3772
Fixes golang/vulndb#3773
Fixes golang/vulndb#3774
Fixes golang/vulndb#3776
Fixes golang/vulndb#3777
Fixes golang/vulndb#3778
Fixes golang/vulndb#3779
Fixes golang/vulndb#3780
Fixes golang/vulndb#3781
Fixes golang/vulndb#3782
Fixes golang/vulndb#3783
Fixes golang/vulndb#3784
Fixes golang/vulndb#3785
Fixes golang/vulndb#3786
Fixes golang/vulndb#3788
Fixes golang/vulndb#3789
Fixes golang/vulndb#3790
Fixes golang/vulndb#3791
Fixes golang/vulndb#3792
Fixes golang/vulndb#3793
Fixes golang/vulndb#3794
Fixes golang/vulndb#3795
Fixes golang/vulndb#3796
Fixes golang/vulndb#3797
Fixes golang/vulndb#3799
Fixes golang/vulndb#3800
Fixes golang/vulndb#3801
Fixes golang/vulndb#3804
Fixes golang/vulndb#3805
Fixes golang/vulndb#3806
Fixes golang/vulndb#3807
Fixes golang/vulndb#3808
Fixes golang/vulndb#3809
Fixes golang/vulndb#3810
Fixes golang/vulndb#3811
Fixes golang/vulndb#3812
Change-Id: I13fada6b7ac35a8237f01d24e50cf3ea8d4e6d99
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/689096
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
diff --git a/data/osv/GO-2025-3758.json b/data/osv/GO-2025-3758.json
new file mode 100644
index 0000000..36da612
--- /dev/null
+++ b/data/osv/GO-2025-3758.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3758",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4922",
+ "GHSA-rx97-6c62-55mf"
+ ],
+ "summary": "Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad",
+ "details": "Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/nomad",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.10.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-rx97-6c62-55mf"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4922"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3758",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3762.json b/data/osv/GO-2025-3762.json
new file mode 100644
index 0000000..de4c647
--- /dev/null
+++ b/data/osv/GO-2025-3762.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3762",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-5689",
+ "GHSA-g8qw-mgjx-rwjr"
+ ],
+ "summary": "New authd users logging in via SSH are members of the root group in github.com/ubuntu/authd",
+ "details": "New authd users logging in via SSH are members of the root group in github.com/ubuntu/authd",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/ubuntu/authd",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.5.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5689"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3762",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3763.json b/data/osv/GO-2025-3763.json
new file mode 100644
index 0000000..0fec9fa
--- /dev/null
+++ b/data/osv/GO-2025-3763.json
@@ -0,0 +1,114 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3763",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-49825",
+ "GHSA-8cqv-pj7f-pwpc"
+ ],
+ "summary": "Remote authentication bypass in github.com/gravitational/teleport",
+ "details": "Remote authentication bypass in github.com/gravitational/teleport.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/gravitational/teleport from v16.0.0 before v16.5.12; github.com/gravitational/teleport before v12.4.35, from v13.0.0 before v13.4.27, from v14.0.0 before v14.4.1, from v15.0.0 before v15.5.3, from v17.0.0 before v17.5.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/gravitational/teleport",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "16.0.0"
+ },
+ {
+ "fixed": "16.5.12"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "package": {
+ "name": "github.com/gravitational/teleport",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.0.11"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "12.4.35"
+ },
+ {
+ "introduced": "13.0.0"
+ },
+ {
+ "fixed": "13.4.27"
+ },
+ {
+ "introduced": "14.0.0"
+ },
+ {
+ "fixed": "14.4.1"
+ },
+ {
+ "introduced": "15.0.0"
+ },
+ {
+ "fixed": "15.5.3"
+ },
+ {
+ "introduced": "17.0.0"
+ },
+ {
+ "fixed": "17.5.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/gravitational/teleport/security/advisories/GHSA-8cqv-pj7f-pwpc"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49825"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3763",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3766.json b/data/osv/GO-2025-3766.json
new file mode 100644
index 0000000..92bdfaa
--- /dev/null
+++ b/data/osv/GO-2025-3766.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3766",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-1088",
+ "GHSA-crvv-6w6h-cv34"
+ ],
+ "summary": "Grafana long dashboard title or panel name causes unresponsives in github.com/grafana/grafana",
+ "details": "Grafana long dashboard title or panel name causes unresponsives in github.com/grafana/grafana.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/grafana/grafana before v11.6.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/grafana/grafana",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250521211231-e0ba4b480954"
+ },
+ {
+ "introduced": "0.0.1-test"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "11.6.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-crvv-6w6h-cv34"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1088"
+ },
+ {
+ "type": "WEB",
+ "url": "https://grafana.com/security/security-advisories/cve-2025-1088"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3766",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3767.json b/data/osv/GO-2025-3767.json
new file mode 100644
index 0000000..c44177f
--- /dev/null
+++ b/data/osv/GO-2025-3767.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3767",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-5981",
+ "GHSA-2hcm-q3f4-fjgw"
+ ],
+ "summary": "OSV-SCALIBR's Container Image Unpacking Vulnerable to Arbitrary File Write via Path Traversal in github.com/google/osv-scalibr",
+ "details": "OSV-SCALIBR's Container Image Unpacking Vulnerable to Arbitrary File Write via Path Traversal in github.com/google/osv-scalibr",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/google/osv-scalibr",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.1.3"
+ },
+ {
+ "fixed": "0.2.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-2hcm-q3f4-fjgw"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5981"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/google/osv-scalibr/commit/2444419b1818c2d6917fc3394c947fb3276e9d59"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/google/osv-scalibr/releases/tag/v0.1.8"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3767",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3768.json b/data/osv/GO-2025-3768.json
new file mode 100644
index 0000000..f41aef7
--- /dev/null
+++ b/data/osv/GO-2025-3768.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3768",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-6264",
+ "GHSA-gpfc-mph4-qm24"
+ ],
+ "summary": "Velociraptor vulnerable to privilege escalation via UpdateConfig artifact in www.velocidex.com/golang/velociraptor",
+ "details": "Velociraptor vulnerable to privilege escalation via UpdateConfig artifact in www.velocidex.com/golang/velociraptor",
+ "affected": [
+ {
+ "package": {
+ "name": "www.velocidex.com/golang/velociraptor",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.74.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-gpfc-mph4-qm24"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6264"
+ },
+ {
+ "type": "WEB",
+ "url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-6264"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Velocidex/velociraptor/commit/21e7fd7138ddaa798cad35fd929864f6bb0c4e9c"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3768",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3769.json b/data/osv/GO-2025-3769.json
new file mode 100644
index 0000000..499da35
--- /dev/null
+++ b/data/osv/GO-2025-3769.json
@@ -0,0 +1,140 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3769",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4981",
+ "GHSA-qh58-9v3j-wcjc"
+ ],
+ "summary": "Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250519205859-65aec10162f6"
+ },
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.16+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.6+incompatible"
+ },
+ {
+ "introduced": "10.6.0+incompatible"
+ },
+ {
+ "fixed": "10.6.6+incompatible"
+ },
+ {
+ "introduced": "10.7.0+incompatible"
+ },
+ {
+ "fixed": "10.7.3+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250519205859-65aec10162f6"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-qh58-9v3j-wcjc"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4981"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/65aec10162f612d98edf91cc66bf7e781868448b"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3769",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3771.json b/data/osv/GO-2025-3771.json
new file mode 100644
index 0000000..0376503
--- /dev/null
+++ b/data/osv/GO-2025-3771.json
@@ -0,0 +1,136 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3771",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-3228",
+ "GHSA-4578-6gjh-f2jm"
+ ],
+ "summary": "Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250520060012-d0380305ef7a"
+ },
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.16+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.6+incompatible"
+ },
+ {
+ "introduced": "10.6.0+incompatible"
+ },
+ {
+ "fixed": "10.6.6+incompatible"
+ },
+ {
+ "introduced": "10.7.0+incompatible"
+ },
+ {
+ "fixed": "10.7.3+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250520060012-d0380305ef7a"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4578-6gjh-f2jm"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3228"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3771",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3772.json b/data/osv/GO-2025-3772.json
new file mode 100644
index 0000000..ffef7a2
--- /dev/null
+++ b/data/osv/GO-2025-3772.json
@@ -0,0 +1,136 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3772",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-3227",
+ "GHSA-qwwm-c582-82rx"
+ ],
+ "summary": "Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server",
+ "details": "Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250520060012-d0380305ef7a"
+ },
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.16+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.6+incompatible"
+ },
+ {
+ "introduced": "10.6.0+incompatible"
+ },
+ {
+ "fixed": "10.6.6+incompatible"
+ },
+ {
+ "introduced": "10.7.0+incompatible"
+ },
+ {
+ "fixed": "10.7.3+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250520060012-d0380305ef7a"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-qwwm-c582-82rx"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3227"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3772",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3773.json b/data/osv/GO-2025-3773.json
new file mode 100644
index 0000000..2a260d1
--- /dev/null
+++ b/data/osv/GO-2025-3773.json
@@ -0,0 +1,61 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3773",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-5030",
+ "GHSA-w6p4-84vc-qc2w"
+ ],
+ "summary": "Ackites KillWxapkg vulnerable to OS Command Injection in github.com/Ackites/KillWxapkg",
+ "details": "Ackites KillWxapkg vulnerable to OS Command Injection in github.com/Ackites/KillWxapkg",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/Ackites/KillWxapkg",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-w6p4-84vc-qc2w"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5030"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/Ackites/KillWxapkg/issues/85"
+ },
+ {
+ "type": "WEB",
+ "url": "https://vuldb.com/?ctiid.309850"
+ },
+ {
+ "type": "WEB",
+ "url": "https://vuldb.com/?id.309850"
+ },
+ {
+ "type": "WEB",
+ "url": "https://vuldb.com/?submit.580526"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3773",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3774.json b/data/osv/GO-2025-3774.json
new file mode 100644
index 0000000..312cbac
--- /dev/null
+++ b/data/osv/GO-2025-3774.json
@@ -0,0 +1,74 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3774",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4563",
+ "GHSA-hj2p-8wj8-pfq4"
+ ],
+ "summary": "kubernetes allows nodes to bypass dynamic resource allocation authorization checks in k8s.io/kubernetes",
+ "details": "kubernetes allows nodes to bypass dynamic resource allocation authorization checks in k8s.io/kubernetes",
+ "affected": [
+ {
+ "package": {
+ "name": "k8s.io/kubernetes",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.32.0"
+ },
+ {
+ "fixed": "1.32.6"
+ },
+ {
+ "introduced": "1.33.0"
+ },
+ {
+ "fixed": "1.33.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-hj2p-8wj8-pfq4"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4563"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/issues/132151"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/pull/131844"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/pull/131875"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/kubernetes/kubernetes/pull/131876"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3774",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3776.json b/data/osv/GO-2025-3776.json
new file mode 100644
index 0000000..3e517e3
--- /dev/null
+++ b/data/osv/GO-2025-3776.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3776",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-56731",
+ "GHSA-wj44-9vcg-wjq7"
+ ],
+ "summary": "Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs",
+ "details": "Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs",
+ "affected": [
+ {
+ "package": {
+ "name": "gogs.io/gogs",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.13.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56731"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/advisories/GHSA-ccqv-43vm-4f3w"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/gogs/gogs/releases/tag/v0.13.3"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3776",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3777.json b/data/osv/GO-2025-3777.json
new file mode 100644
index 0000000..a5c9c6f
--- /dev/null
+++ b/data/osv/GO-2025-3777.json
@@ -0,0 +1,160 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3777",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-6032",
+ "GHSA-65gg-3w2w-hr4h"
+ ],
+ "summary": "Podman Improper Certificate Validation; machine missing TLS verification in github.com/containers/podman",
+ "details": "Podman Improper Certificate Validation; machine missing TLS verification in github.com/containers/podman",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/containers/podman",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/containers/podman/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/containers/podman/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/containers/podman/v4",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "4.8.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/containers/podman/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "5.5.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4h"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6032"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:10295"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:10549"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:10550"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:10551"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:10668"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:9726"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:9751"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2025:9766"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2025-6032"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372501"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3777",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3778.json b/data/osv/GO-2025-3778.json
new file mode 100644
index 0000000..e385fa6
--- /dev/null
+++ b/data/osv/GO-2025-3778.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3778",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-47943",
+ "GHSA-xh32-cx6c-cp4v"
+ ],
+ "summary": "Gogs XSS allowed by stored call in PDF renderer in gogs.io/gogs",
+ "details": "Gogs XSS allowed by stored call in PDF renderer in gogs.io/gogs",
+ "affected": [
+ {
+ "package": {
+ "name": "gogs.io/gogs",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.13.3-0.20250608224432-110117b2e5e5"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47943"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/gogs/gogs/releases/tag/v0.13.3"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3778",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3779.json b/data/osv/GO-2025-3779.json
new file mode 100644
index 0000000..f547f68
--- /dev/null
+++ b/data/osv/GO-2025-3779.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3779",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52477",
+ "GHSA-h3qp-hwvr-9xcq"
+ ],
+ "summary": "Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens in github.com/octo-sts/app",
+ "details": "Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens in github.com/octo-sts/app",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/octo-sts/app",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.5.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52477"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3779",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3780.json b/data/osv/GO-2025-3780.json
new file mode 100644
index 0000000..fe1c432
--- /dev/null
+++ b/data/osv/GO-2025-3780.json
@@ -0,0 +1,85 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3780",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52893",
+ "GHSA-8f5r-8cmq-7fmq"
+ ],
+ "summary": "OpenBao Inserts Sensitive Information into Log File when processing malformed data in github.com/openbao/openbao/sdk",
+ "details": "OpenBao Inserts Sensitive Information into Log File when processing malformed data in github.com/openbao/openbao/sdk",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao/sdk",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/openbao/openbao/sdk/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52893"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/go-viper/mapstructure/pull/105"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/go-viper/mapstructure/releases/tag/v2.3.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3780",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3781.json b/data/osv/GO-2025-3781.json
new file mode 100644
index 0000000..becbec1
--- /dev/null
+++ b/data/osv/GO-2025-3781.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3781",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52889",
+ "GHSA-9q7c-qmhm-jv86"
+ ],
+ "summary": "Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks in github.com/lxc/incus",
+ "details": "Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks in github.com/lxc/incus",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/lxc/incus",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/lxc/incus/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "6.12.0"
+ },
+ {
+ "fixed": "6.14.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/lxc/incus/security/advisories/GHSA-9q7c-qmhm-jv86"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52889"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/lxc/incus/commit/2516fb19ad8428454cb4edfe70c0a5f0dc1da214"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/lxc/incus/commit/a7c33301738aede3c035063e973b1d885d9bac7c"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3781",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3782.json b/data/osv/GO-2025-3782.json
new file mode 100644
index 0000000..5d798fd
--- /dev/null
+++ b/data/osv/GO-2025-3782.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3782",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52890",
+ "GHSA-p7fw-vjjm-2rwp"
+ ],
+ "summary": "Incus creates nftables rules that partially bypass security options in github.com/lxc/incus",
+ "details": "Incus creates nftables rules that partially bypass security options in github.com/lxc/incus",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/lxc/incus",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/lxc/incus/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "6.12.0"
+ },
+ {
+ "fixed": "6.14.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/lxc/incus/security/advisories/GHSA-p7fw-vjjm-2rwp"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52890"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/lxc/incus/commit/254dfd2483ab8de39b47c2258b7f1cf0759231c8"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3782",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3783.json b/data/osv/GO-2025-3783.json
new file mode 100644
index 0000000..0b35c3f
--- /dev/null
+++ b/data/osv/GO-2025-3783.json
@@ -0,0 +1,92 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3783",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52894",
+ "GHSA-prpj-rchp-9j5h"
+ ],
+ "summary": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao/api",
+ "details": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao/api.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao/api",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/openbao/openbao/api/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.2.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52894"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openbao/openbao/releases/tag/v2.3.1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://openbao.org/docs/deprecation"
+ },
+ {
+ "type": "WEB",
+ "url": "https://openbao.org/docs/deprecation/unauthed-rekey"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3783",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3784.json b/data/osv/GO-2025-3784.json
new file mode 100644
index 0000000..849c27e
--- /dev/null
+++ b/data/osv/GO-2025-3784.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3784",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52902",
+ "GHSA-4wx8-5gm2-2j97"
+ ],
+ "summary": "filebrowser allows Stored Cross-Site Scripting through the Markdown preview function in github.com/filebrowser/filebrowser",
+ "details": "filebrowser allows Stored Cross-Site Scripting through the Markdown preview function in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.33.7"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52902"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3784",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3785.json b/data/osv/GO-2025-3785.json
new file mode 100644
index 0000000..2d691cf
--- /dev/null
+++ b/data/osv/GO-2025-3785.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3785",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52900",
+ "GHSA-jj2r-455p-5gvf"
+ ],
+ "summary": "filebrowser Sets Insecure File Permissions in github.com/filebrowser/filebrowser",
+ "details": "filebrowser Sets Insecure File Permissions in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.33.7"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52900"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3785",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3786.json b/data/osv/GO-2025-3786.json
new file mode 100644
index 0000000..810e132
--- /dev/null
+++ b/data/osv/GO-2025-3786.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3786",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52903",
+ "GHSA-3q2w-42mv-cph4"
+ ],
+ "summary": "filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser",
+ "details": "filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.33.10"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52903"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/filebrowser/filebrowser/issues/5199"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3786",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3788.json b/data/osv/GO-2025-3788.json
new file mode 100644
index 0000000..ec96c15
--- /dev/null
+++ b/data/osv/GO-2025-3788.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3788",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-4656",
+ "GHSA-fhc2-8qx8-6vj7"
+ ],
+ "summary": "Vault Community Edition rekey and recovery key operations can cause denial of service in github.com/hashicorp/vault",
+ "details": "Vault Community Edition rekey and recovery key operations can cause denial of service in github.com/hashicorp/vault",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/vault",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.14.8"
+ },
+ {
+ "fixed": "1.20.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-fhc2-8qx8-6vj7"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4656"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/vault/pull/30794"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-11-vault-vulnerable-to-recovery-key-cancellation-denial-of-service/75570"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3788",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3789.json b/data/osv/GO-2025-3789.json
new file mode 100644
index 0000000..c237a5e
--- /dev/null
+++ b/data/osv/GO-2025-3789.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3789",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-6624",
+ "GHSA-6hwc-9h8r-3vmf"
+ ],
+ "summary": "Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode in github.com/snyk/go-application-framework",
+ "details": "Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode in github.com/snyk/go-application-framework",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/snyk/go-application-framework",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-6hwc-9h8r-3vmf"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6624"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/snyk/go-application-framework/commit/ca7ba7d72e68455afb466a7a47bb2c9aece86c18"
+ },
+ {
+ "type": "WEB",
+ "url": "https://docs.snyk.io/snyk-cli/debugging-the-snyk-cli"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/snyk"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/snyk/cli/commit/38322f377da7e5f1391e1f641710be50989fa4df"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/snyk/cli/releases/tag/v1.1297.3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-10497607"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3789",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3790.json b/data/osv/GO-2025-3790.json
new file mode 100644
index 0000000..235b0c5
--- /dev/null
+++ b/data/osv/GO-2025-3790.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3790",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52996",
+ "GHSA-3v48-283x-f2w4"
+ ],
+ "summary": "File Browser's password protection of links is bypassable in github.com/filebrowser/filebrowser",
+ "details": "File Browser's password protection of links is bypassable in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52996"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/filebrowser/filebrowser/issues/5239"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3790",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3791.json b/data/osv/GO-2025-3791.json
new file mode 100644
index 0000000..21823d2
--- /dev/null
+++ b/data/osv/GO-2025-3791.json
@@ -0,0 +1,68 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3791",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-56j4-446m-qrf6"
+ ],
+ "summary": "Babylon vulnerable to chain half when transaction has fees different than `ubbn` in github.com/babylonlabs-io/babylon",
+ "details": "Babylon vulnerable to chain half when transaction has fees different than `ubbn` in github.com/babylonlabs-io/babylon",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/babylonlabs-io/babylon",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/babylonlabs-io/babylon/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.2.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-56j4-446m-qrf6"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/babylonlabs-io/babylon/commit/fe67aebd5216e7d3afa1d7dee2a3f82e548556f3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cosmos/cosmos-sdk/blob/main/x/distribution/keeper/allocation.go#L28"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3791",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3792.json b/data/osv/GO-2025-3792.json
new file mode 100644
index 0000000..397a2f8
--- /dev/null
+++ b/data/osv/GO-2025-3792.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3792",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52997",
+ "GHSA-cm2r-rg7r-p7gg"
+ ],
+ "summary": "File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser",
+ "details": "File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.34.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-cm2r-rg7r-p7gg"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52997"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/filebrowser/filebrowser/commit/bf37f88c32222ad9c186482bb97338a9c9b4a93c"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3792",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3793.json b/data/osv/GO-2025-3793.json
new file mode 100644
index 0000000..c0b034a
--- /dev/null
+++ b/data/osv/GO-2025-3793.json
@@ -0,0 +1,74 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3793",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52904",
+ "GHSA-hc8f-m8g5-8362"
+ ],
+ "summary": "File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser",
+ "details": "File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52904"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/filebrowser/filebrowser/issues/5199"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/GoogleContainerTools/distroless"
+ },
+ {
+ "type": "WEB",
+ "url": "https://sloonz.github.io/posts/sandboxing-1"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3793",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3794.json b/data/osv/GO-2025-3794.json
new file mode 100644
index 0000000..46e577f
--- /dev/null
+++ b/data/osv/GO-2025-3794.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3794",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52901",
+ "GHSA-rmwh-g367-mj4x"
+ ],
+ "summary": "File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser",
+ "details": "File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.33.9"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-rmwh-g367-mj4x"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52901"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b41289484df7c27b2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.33.9"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3794",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3795.json b/data/osv/GO-2025-3795.json
new file mode 100644
index 0000000..b4f2be7
--- /dev/null
+++ b/data/osv/GO-2025-3795.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3795",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-52995",
+ "GHSA-w7qc-6grj-w7r8"
+ ],
+ "summary": "File Browser vulnerable to command execution allowlist bypass in github.com/filebrowser/filebrowser",
+ "details": "File Browser vulnerable to command execution allowlist bypass in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.33.10"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-w7qc-6grj-w7r8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52995"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.33.10"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3795",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3796.json b/data/osv/GO-2025-3796.json
new file mode 100644
index 0000000..92b3c31
--- /dev/null
+++ b/data/osv/GO-2025-3796.json
@@ -0,0 +1,144 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3796",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-46702",
+ "GHSA-v8fr-vxmw-6mf6"
+ ],
+ "summary": "Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250513065225-4ae5d647fb88"
+ },
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.16+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.6+incompatible"
+ },
+ {
+ "introduced": "10.6.0+incompatible"
+ },
+ {
+ "fixed": "10.6.6+incompatible"
+ },
+ {
+ "introduced": "10.7.0+incompatible"
+ },
+ {
+ "fixed": "10.7.3+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250513065225-4ae5d647fb88"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-v8fr-vxmw-6mf6"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46702"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/31142f101e3cce6171e2b6cb4980a1aa8eaefae0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/4ae5d647fb8893d77dccbb57d114855939a775ce"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3796",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3797.json b/data/osv/GO-2025-3797.json
new file mode 100644
index 0000000..2b9dc19
--- /dev/null
+++ b/data/osv/GO-2025-3797.json
@@ -0,0 +1,136 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3797",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-47871",
+ "GHSA-wgvp-jj4w-88hf"
+ ],
+ "summary": "Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250513065225-4ae5d647fb88"
+ },
+ {
+ "introduced": "9.11.0+incompatible"
+ },
+ {
+ "fixed": "9.11.16+incompatible"
+ },
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.6+incompatible"
+ },
+ {
+ "introduced": "10.6.0+incompatible"
+ },
+ {
+ "fixed": "10.6.6+incompatible"
+ },
+ {
+ "introduced": "10.7.0+incompatible"
+ },
+ {
+ "fixed": "10.7.3+incompatible"
+ },
+ {
+ "introduced": "10.8.0+incompatible"
+ },
+ {
+ "fixed": "10.8.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250513065225-4ae5d647fb88"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-wgvp-jj4w-88hf"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47871"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3797",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3799.json b/data/osv/GO-2025-3799.json
new file mode 100644
index 0000000..cd16ca7
--- /dev/null
+++ b/data/osv/GO-2025-3799.json
@@ -0,0 +1,64 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3799",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-fv2p-qj5p-wqq4"
+ ],
+ "summary": "LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement in github.com/lf-edge/ekuiper",
+ "details": "LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement in github.com/lf-edge/ekuiper",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/lf-edge/ekuiper",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/lf-edge/ekuiper/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.2.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-fv2p-qj5p-wqq4"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3799",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3800.json b/data/osv/GO-2025-3800.json
new file mode 100644
index 0000000..a495740
--- /dev/null
+++ b/data/osv/GO-2025-3800.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3800",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-gj54-gwj9-x2c6"
+ ],
+ "summary": "eKuiper /config/uploads API arbitrary file writing may lead to RCE in github.com/lf-edge/ekuiper",
+ "details": "eKuiper /config/uploads API arbitrary file writing may lead to RCE in github.com/lf-edge/ekuiper",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/lf-edge/ekuiper",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/lf-edge/ekuiper/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.2.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-gj54-gwj9-x2c6"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3800",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3801.json b/data/osv/GO-2025-3801.json
new file mode 100644
index 0000000..c35479a
--- /dev/null
+++ b/data/osv/GO-2025-3801.json
@@ -0,0 +1,72 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3801",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-rj53-j6jw-7f7g"
+ ],
+ "summary": "Babylon vulnerable to chain halt when a message modifies the validator set at the epoch boundary in github.com/babylonlabs-io/babylon",
+ "details": "Babylon vulnerable to chain halt when a message modifies the validator set at the epoch boundary in github.com/babylonlabs-io/babylon",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/babylonlabs-io/babylon",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/babylonlabs-io/babylon/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "2.0.0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-rj53-j6jw-7f7g"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/babylonlabs-io/babylon/pull/1244/files"
+ },
+ {
+ "type": "WEB",
+ "url": "https://boiling-lake-106.notion.site/2025-06-18-Babylon-Genesis-Chain-Halt-Post-Mortem-229f60cc1b5f80b7adf5e3ea0541ea87"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/babylonlabs-io/babylon/releases/tag/v2.1.0"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3801",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3804.json b/data/osv/GO-2025-3804.json
new file mode 100644
index 0000000..1cf6f8c
--- /dev/null
+++ b/data/osv/GO-2025-3804.json
@@ -0,0 +1,72 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3804",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53513",
+ "GHSA-24ch-w38v-xmh8"
+ ],
+ "summary": "Juju zip slip vulnerability via authenticated endpoint in github.com/juju/juju",
+ "details": "Juju zip slip vulnerability via authenticated endpoint in github.com/juju/juju",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/juju/juju",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250619215741-6356e984b82a"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53513"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/6356e984b82a4a7b9771ff5e51e297ad62f3b405"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/ff39557a137c0e95d4cd3553b0f19c859c6f5d8e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://drive.google.com/file/d/1pHRNiaA8LyMVJYwIyTqelsqJ9FmImDf0/view"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L754"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L897"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L990"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3804",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3805.json b/data/osv/GO-2025-3805.json
new file mode 100644
index 0000000..cd837bf
--- /dev/null
+++ b/data/osv/GO-2025-3805.json
@@ -0,0 +1,75 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3805",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-0928",
+ "GHSA-4vc8-wvhw-m5gv"
+ ],
+ "summary": "Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju",
+ "details": "Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/juju/juju before v0.0.0-20250619215741-4034aa13c7cf.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/juju/juju",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250619215741-4034aa13c7cf"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0928"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/311e374cb8d2431032c51fb3fb5c4b0aaaa7196c"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/4034aa13c7cf5a37427fcd032925d5d21955b096"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/b4176e6e45c2c3c817ab60b39e2d52f9a11a5ddf"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3805",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3806.json b/data/osv/GO-2025-3806.json
new file mode 100644
index 0000000..eb955f4
--- /dev/null
+++ b/data/osv/GO-2025-3806.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3806",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53512",
+ "GHSA-r64v-82fh-xc63"
+ ],
+ "summary": "Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization in github.com/juju/juju",
+ "details": "Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization in github.com/juju/juju",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/juju/juju",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250619024904-402ff008dcc2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53512"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/402ff008dcc2cb57f4441968628637efb5c2a662"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3806",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3807.json b/data/osv/GO-2025-3807.json
new file mode 100644
index 0000000..1112d8c
--- /dev/null
+++ b/data/osv/GO-2025-3807.json
@@ -0,0 +1,51 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3807",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-phhq-63jg-fp7r"
+ ],
+ "summary": "Contrast vulnerability allows arbitrary host data Injection into container VOLUME mount points in github.com/edgelesssys/contrast",
+ "details": "Contrast vulnerability allows arbitrary host data Injection into container VOLUME mount points in github.com/edgelesssys/contrast",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/edgelesssys/contrast",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.9.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-phhq-63jg-fp7r"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/edgelesssys/contrast/commit/635b471ddbb512b6661e6f1d767aab818bd50bda"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/edgelesssys/contrast/releases/tag/v1.9.1"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3807",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3808.json b/data/osv/GO-2025-3808.json
new file mode 100644
index 0000000..7410bb2
--- /dev/null
+++ b/data/osv/GO-2025-3808.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3808",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53632",
+ "GHSA-3gv2-v3jx-r9fh"
+ ],
+ "summary": "Chall-Manager is vulnerable to Path Traversal when extracting/decoding a zip archive in github.com/ctfer-io/chall-manager",
+ "details": "Chall-Manager is vulnerable to Path Traversal when extracting/decoding a zip archive in github.com/ctfer-io/chall-manager",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/ctfer-io/chall-manager",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.1.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-3gv2-v3jx-r9fh"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53632"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/ctfer-io/chall-manager/commit/47d188fda5e3f86285e820f12ad9fb6f9930662c"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3808",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3809.json b/data/osv/GO-2025-3809.json
new file mode 100644
index 0000000..857fcb4
--- /dev/null
+++ b/data/osv/GO-2025-3809.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3809",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53634",
+ "GHSA-ggmv-j932-q89q"
+ ],
+ "summary": "Chall-Manager's HTTP Gateway is vulnerable to DoS due to missing header timeout in github.com/ctfer-io/chall-manager",
+ "details": "Chall-Manager's HTTP Gateway is vulnerable to DoS due to missing header timeout in github.com/ctfer-io/chall-manager",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/ctfer-io/chall-manager",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.1.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-ggmv-j932-q89q"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53634"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/ctfer-io/chall-manager/commit/1385bd869142651146cd0b123085f91cec698636"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3809",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3810.json b/data/osv/GO-2025-3810.json
new file mode 100644
index 0000000..d0fd1e7
--- /dev/null
+++ b/data/osv/GO-2025-3810.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3810",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53633",
+ "GHSA-r7fm-3pqm-ww5w"
+ ],
+ "summary": "Chall-Manager's scenario decoding process does not check for zip bombs in github.com/ctfer-io/chall-manager",
+ "details": "Chall-Manager's scenario decoding process does not check for zip bombs in github.com/ctfer-io/chall-manager",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/ctfer-io/chall-manager",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.1.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-r7fm-3pqm-ww5w"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53633"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/ctfer-io/chall-manager/commit/14042aa66a577caee777e10fe09adcf2587d20dd"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3810",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3811.json b/data/osv/GO-2025-3811.json
new file mode 100644
index 0000000..01b0711
--- /dev/null
+++ b/data/osv/GO-2025-3811.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3811",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53893",
+ "GHSA-7xqm-7738-642x"
+ ],
+ "summary": "File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser",
+ "details": "File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.0.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "2.0.0-rc.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xqm-7738-642x"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53893"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/filebrowser/filebrowser/issues/5294"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3811",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3812.json b/data/osv/GO-2025-3812.json
new file mode 100644
index 0000000..0f29c3e
--- /dev/null
+++ b/data/osv/GO-2025-3812.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3812",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53826",
+ "GHSA-7xwp-2cpp-p8r7"
+ ],
+ "summary": "File Browser’s insecure JWT handling can lead to session replay attacks after logout in github.com/filebrowser/filebrowser",
+ "details": "File Browser’s insecure JWT handling can lead to session replay attacks after logout in github.com/filebrowser/filebrowser",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/filebrowser/filebrowser/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53826"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/filebrowser/filebrowser/issues/5216"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3812",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3758.yaml b/data/reports/GO-2025-3758.yaml
new file mode 100644
index 0000000..4101ca4
--- /dev/null
+++ b/data/reports/GO-2025-3758.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3758
+modules:
+ - module: github.com/hashicorp/nomad
+ versions:
+ - fixed: 1.10.2
+ vulnerable_at: 1.10.1
+summary: Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad
+cves:
+ - CVE-2025-4922
+ghsas:
+ - GHSA-rx97-6c62-55mf
+references:
+ - advisory: https://github.com/advisories/GHSA-rx97-6c62-55mf
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4922
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396
+source:
+ id: GHSA-rx97-6c62-55mf
+ created: 2025-07-21T17:09:05.299016816Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3762.yaml b/data/reports/GO-2025-3762.yaml
new file mode 100644
index 0000000..10405da
--- /dev/null
+++ b/data/reports/GO-2025-3762.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3762
+modules:
+ - module: github.com/ubuntu/authd
+ versions:
+ - fixed: 0.5.4
+ vulnerable_at: 0.5.3
+summary: New authd users logging in via SSH are members of the root group in github.com/ubuntu/authd
+cves:
+ - CVE-2025-5689
+ghsas:
+ - GHSA-g8qw-mgjx-rwjr
+references:
+ - advisory: https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-5689
+ - fix: https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab
+source:
+ id: GHSA-g8qw-mgjx-rwjr
+ created: 2025-07-21T17:09:00.23399162Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3763.yaml b/data/reports/GO-2025-3763.yaml
new file mode 100644
index 0000000..7fed89f
--- /dev/null
+++ b/data/reports/GO-2025-3763.yaml
@@ -0,0 +1,35 @@
+id: GO-2025-3763
+modules:
+ - module: github.com/gravitational/teleport
+ non_go_versions:
+ - introduced: 16.0.0
+ - fixed: 16.5.12
+ vulnerable_at: 3.2.17+incompatible
+ - module: github.com/gravitational/teleport
+ versions:
+ - introduced: 0.0.11
+ non_go_versions:
+ - fixed: 12.4.35
+ - introduced: 13.0.0
+ - fixed: 13.4.27
+ - introduced: 14.0.0
+ - fixed: 14.4.1
+ - introduced: 15.0.0
+ - fixed: 15.5.3
+ - introduced: 17.0.0
+ - fixed: 17.5.2
+ unsupported_versions:
+ - last_affected: 0.0.0-20250616162021-79b2f26125a1
+ vulnerable_at: 3.2.17+incompatible
+summary: Remote authentication bypass in github.com/gravitational/teleport
+cves:
+ - CVE-2025-49825
+ghsas:
+ - GHSA-8cqv-pj7f-pwpc
+references:
+ - advisory: https://github.com/gravitational/teleport/security/advisories/GHSA-8cqv-pj7f-pwpc
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-49825
+source:
+ id: GHSA-8cqv-pj7f-pwpc
+ created: 2025-07-21T17:04:10.293215598Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3766.yaml b/data/reports/GO-2025-3766.yaml
new file mode 100644
index 0000000..929688d
--- /dev/null
+++ b/data/reports/GO-2025-3766.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3766
+modules:
+ - module: github.com/grafana/grafana
+ versions:
+ - fixed: 0.0.0-20250521211231-e0ba4b480954
+ - introduced: 0.0.1-test
+ non_go_versions:
+ - fixed: 11.6.2
+ vulnerable_at: 5.4.5+incompatible
+summary: Grafana long dashboard title or panel name causes unresponsives in github.com/grafana/grafana
+cves:
+ - CVE-2025-1088
+ghsas:
+ - GHSA-crvv-6w6h-cv34
+references:
+ - advisory: https://github.com/advisories/GHSA-crvv-6w6h-cv34
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1088
+ - web: https://grafana.com/security/security-advisories/cve-2025-1088
+source:
+ id: GHSA-crvv-6w6h-cv34
+ created: 2025-07-21T17:03:52.291381898Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3767.yaml b/data/reports/GO-2025-3767.yaml
new file mode 100644
index 0000000..0d1f693
--- /dev/null
+++ b/data/reports/GO-2025-3767.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3767
+modules:
+ - module: github.com/google/osv-scalibr
+ versions:
+ - introduced: 0.1.3
+ - fixed: 0.2.1
+ vulnerable_at: 0.2.0
+summary: |-
+ OSV-SCALIBR's Container Image Unpacking Vulnerable to Arbitrary File Write via
+ Path Traversal in github.com/google/osv-scalibr
+cves:
+ - CVE-2025-5981
+ghsas:
+ - GHSA-2hcm-q3f4-fjgw
+references:
+ - advisory: https://github.com/advisories/GHSA-2hcm-q3f4-fjgw
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-5981
+ - fix: https://github.com/google/osv-scalibr/commit/2444419b1818c2d6917fc3394c947fb3276e9d59
+ - web: https://github.com/google/osv-scalibr/releases/tag/v0.1.8
+source:
+ id: GHSA-2hcm-q3f4-fjgw
+ created: 2025-07-21T17:03:47.011825465Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3768.yaml b/data/reports/GO-2025-3768.yaml
new file mode 100644
index 0000000..20466a0
--- /dev/null
+++ b/data/reports/GO-2025-3768.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3768
+modules:
+ - module: www.velocidex.com/golang/velociraptor
+ versions:
+ - fixed: 0.74.3
+ vulnerable_at: 0.74.2
+summary: Velociraptor vulnerable to privilege escalation via UpdateConfig artifact in www.velocidex.com/golang/velociraptor
+cves:
+ - CVE-2025-6264
+ghsas:
+ - GHSA-gpfc-mph4-qm24
+references:
+ - advisory: https://github.com/advisories/GHSA-gpfc-mph4-qm24
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6264
+ - web: https://docs.velociraptor.app/announcements/advisories/cve-2025-6264
+ - web: https://github.com/Velocidex/velociraptor/commit/21e7fd7138ddaa798cad35fd929864f6bb0c4e9c
+source:
+ id: GHSA-gpfc-mph4-qm24
+ created: 2025-07-21T17:03:41.97239595Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3769.yaml b/data/reports/GO-2025-3769.yaml
new file mode 100644
index 0000000..b3f7493
--- /dev/null
+++ b/data/reports/GO-2025-3769.yaml
@@ -0,0 +1,39 @@
+id: GO-2025-3769
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 0.0.0-20250519205859-65aec10162f6
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.16+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.6+incompatible
+ - introduced: 10.6.0+incompatible
+ - fixed: 10.6.6+incompatible
+ - introduced: 10.7.0+incompatible
+ - fixed: 10.7.3+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.1+incompatible
+ vulnerable_at: 10.8.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250519205859-65aec10162f6
+summary: Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-4981
+ghsas:
+ - GHSA-qh58-9v3j-wcjc
+references:
+ - advisory: https://github.com/advisories/GHSA-qh58-9v3j-wcjc
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4981
+ - web: https://github.com/mattermost/mattermost/commit/65aec10162f612d98edf91cc66bf7e781868448b
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-qh58-9v3j-wcjc
+ created: 2025-07-21T17:03:37.19587197Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3771.yaml b/data/reports/GO-2025-3771.yaml
new file mode 100644
index 0000000..6b10b49
--- /dev/null
+++ b/data/reports/GO-2025-3771.yaml
@@ -0,0 +1,38 @@
+id: GO-2025-3771
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 0.0.0-20250520060012-d0380305ef7a
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.16+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.6+incompatible
+ - introduced: 10.6.0+incompatible
+ - fixed: 10.6.6+incompatible
+ - introduced: 10.7.0+incompatible
+ - fixed: 10.7.3+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.1+incompatible
+ vulnerable_at: 10.8.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250520060012-d0380305ef7a
+summary: Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-3228
+ghsas:
+ - GHSA-4578-6gjh-f2jm
+references:
+ - advisory: https://github.com/advisories/GHSA-4578-6gjh-f2jm
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3228
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-4578-6gjh-f2jm
+ created: 2025-07-21T17:03:33.350636762Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3772.yaml b/data/reports/GO-2025-3772.yaml
new file mode 100644
index 0000000..69e940b
--- /dev/null
+++ b/data/reports/GO-2025-3772.yaml
@@ -0,0 +1,38 @@
+id: GO-2025-3772
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 0.0.0-20250520060012-d0380305ef7a
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.16+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.6+incompatible
+ - introduced: 10.6.0+incompatible
+ - fixed: 10.6.6+incompatible
+ - introduced: 10.7.0+incompatible
+ - fixed: 10.7.3+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.1+incompatible
+ vulnerable_at: 10.8.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250520060012-d0380305ef7a
+summary: Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-3227
+ghsas:
+ - GHSA-qwwm-c582-82rx
+references:
+ - advisory: https://github.com/advisories/GHSA-qwwm-c582-82rx
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3227
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-qwwm-c582-82rx
+ created: 2025-07-21T17:03:28.469907439Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3773.yaml b/data/reports/GO-2025-3773.yaml
new file mode 100644
index 0000000..03c40b0
--- /dev/null
+++ b/data/reports/GO-2025-3773.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3773
+modules:
+ - module: github.com/Ackites/KillWxapkg
+ unsupported_versions:
+ - last_affected: 1.1.0
+ vulnerable_at: 1.1.0
+summary: Ackites KillWxapkg vulnerable to OS Command Injection in github.com/Ackites/KillWxapkg
+cves:
+ - CVE-2025-5030
+ghsas:
+ - GHSA-w6p4-84vc-qc2w
+references:
+ - advisory: https://github.com/advisories/GHSA-w6p4-84vc-qc2w
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-5030
+ - report: https://github.com/Ackites/KillWxapkg/issues/85
+ - web: https://vuldb.com/?ctiid.309850
+ - web: https://vuldb.com/?id.309850
+ - web: https://vuldb.com/?submit.580526
+source:
+ id: GHSA-w6p4-84vc-qc2w
+ created: 2025-07-21T17:03:22.836966222Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3774.yaml b/data/reports/GO-2025-3774.yaml
new file mode 100644
index 0000000..70fa046
--- /dev/null
+++ b/data/reports/GO-2025-3774.yaml
@@ -0,0 +1,28 @@
+id: GO-2025-3774
+modules:
+ - module: k8s.io/kubernetes
+ versions:
+ - introduced: 1.32.0
+ - fixed: 1.32.6
+ - introduced: 1.33.0
+ - fixed: 1.33.2
+ vulnerable_at: 1.33.1
+summary: |-
+ kubernetes allows nodes to bypass dynamic resource allocation authorization
+ checks in k8s.io/kubernetes
+cves:
+ - CVE-2025-4563
+ghsas:
+ - GHSA-hj2p-8wj8-pfq4
+references:
+ - advisory: https://github.com/advisories/GHSA-hj2p-8wj8-pfq4
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4563
+ - web: https://github.com/kubernetes/kubernetes/issues/132151
+ - web: https://github.com/kubernetes/kubernetes/pull/131844
+ - web: https://github.com/kubernetes/kubernetes/pull/131875
+ - web: https://github.com/kubernetes/kubernetes/pull/131876
+ - web: https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ
+source:
+ id: GHSA-hj2p-8wj8-pfq4
+ created: 2025-07-21T17:03:14.421730115Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3776.yaml b/data/reports/GO-2025-3776.yaml
new file mode 100644
index 0000000..3d1c39e
--- /dev/null
+++ b/data/reports/GO-2025-3776.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3776
+modules:
+ - module: gogs.io/gogs
+ versions:
+ - fixed: 0.13.3
+ vulnerable_at: 0.13.3-rc.1
+summary: Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs
+cves:
+ - CVE-2024-56731
+ghsas:
+ - GHSA-wj44-9vcg-wjq7
+references:
+ - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-56731
+ - web: https://github.com/advisories/GHSA-ccqv-43vm-4f3w
+ - web: https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9
+ - web: https://github.com/gogs/gogs/releases/tag/v0.13.3
+source:
+ id: GHSA-wj44-9vcg-wjq7
+ created: 2025-07-21T17:03:09.703361592Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3777.yaml b/data/reports/GO-2025-3777.yaml
new file mode 100644
index 0000000..f82d2d4
--- /dev/null
+++ b/data/reports/GO-2025-3777.yaml
@@ -0,0 +1,41 @@
+id: GO-2025-3777
+modules:
+ - module: github.com/containers/podman
+ vulnerable_at: 1.9.3
+ - module: github.com/containers/podman/v2
+ vulnerable_at: 2.2.1
+ - module: github.com/containers/podman/v3
+ vulnerable_at: 3.4.7
+ - module: github.com/containers/podman/v4
+ versions:
+ - introduced: 4.8.0
+ unsupported_versions:
+ - last_affected: 4.9.5
+ vulnerable_at: 4.9.5
+ - module: github.com/containers/podman/v5
+ versions:
+ - fixed: 5.5.2
+ vulnerable_at: 5.5.1
+summary: Podman Improper Certificate Validation; machine missing TLS verification in github.com/containers/podman
+cves:
+ - CVE-2025-6032
+ghsas:
+ - GHSA-65gg-3w2w-hr4h
+references:
+ - advisory: https://github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4h
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6032
+ - fix: https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3
+ - web: https://access.redhat.com/errata/RHSA-2025:10295
+ - web: https://access.redhat.com/errata/RHSA-2025:10549
+ - web: https://access.redhat.com/errata/RHSA-2025:10550
+ - web: https://access.redhat.com/errata/RHSA-2025:10551
+ - web: https://access.redhat.com/errata/RHSA-2025:10668
+ - web: https://access.redhat.com/errata/RHSA-2025:9726
+ - web: https://access.redhat.com/errata/RHSA-2025:9751
+ - web: https://access.redhat.com/errata/RHSA-2025:9766
+ - web: https://access.redhat.com/security/cve/CVE-2025-6032
+ - web: https://bugzilla.redhat.com/show_bug.cgi?id=2372501
+source:
+ id: GHSA-65gg-3w2w-hr4h
+ created: 2025-07-21T17:03:00.19093353Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3778.yaml b/data/reports/GO-2025-3778.yaml
new file mode 100644
index 0000000..dedfa73
--- /dev/null
+++ b/data/reports/GO-2025-3778.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3778
+modules:
+ - module: gogs.io/gogs
+ versions:
+ - fixed: 0.13.3-0.20250608224432-110117b2e5e5
+ vulnerable_at: 0.13.2
+summary: Gogs XSS allowed by stored call in PDF renderer in gogs.io/gogs
+cves:
+ - CVE-2025-47943
+ghsas:
+ - GHSA-xh32-cx6c-cp4v
+references:
+ - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47943
+ - web: https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40
+ - web: https://github.com/gogs/gogs/releases/tag/v0.13.3
+source:
+ id: GHSA-xh32-cx6c-cp4v
+ created: 2025-07-21T17:02:54.942996853Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3779.yaml b/data/reports/GO-2025-3779.yaml
new file mode 100644
index 0000000..ede3f7f
--- /dev/null
+++ b/data/reports/GO-2025-3779.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3779
+modules:
+ - module: github.com/octo-sts/app
+ versions:
+ - fixed: 0.5.3
+ vulnerable_at: 0.5.2
+summary: Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens in github.com/octo-sts/app
+cves:
+ - CVE-2025-52477
+ghsas:
+ - GHSA-h3qp-hwvr-9xcq
+references:
+ - advisory: https://github.com/octo-sts/app/security/advisories/GHSA-h3qp-hwvr-9xcq
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52477
+ - fix: https://github.com/octo-sts/app/commit/0f177fde54f9318e33f0bba6abaea9463a7c3afd
+ - fix: https://github.com/octo-sts/app/commit/b3976e39bd8c8c217c0670747d34a4499043da92
+source:
+ id: GHSA-h3qp-hwvr-9xcq
+ created: 2025-07-21T17:02:49.96989951Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3780.yaml b/data/reports/GO-2025-3780.yaml
new file mode 100644
index 0000000..34a65e1
--- /dev/null
+++ b/data/reports/GO-2025-3780.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3780
+modules:
+ - module: github.com/openbao/openbao/sdk
+ vulnerable_at: 0.11.1
+ - module: github.com/openbao/openbao/sdk/v2
+ versions:
+ - fixed: 2.3.0
+ vulnerable_at: 2.2.0
+summary: |-
+ OpenBao Inserts Sensitive Information into Log File when processing malformed
+ data in github.com/openbao/openbao/sdk
+cves:
+ - CVE-2025-52893
+ghsas:
+ - GHSA-8f5r-8cmq-7fmq
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52893
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717
+ - web: https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a
+ - web: https://github.com/go-viper/mapstructure/pull/105
+ - web: https://github.com/go-viper/mapstructure/releases/tag/v2.3.0
+ - web: https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30
+source:
+ id: GHSA-8f5r-8cmq-7fmq
+ created: 2025-07-21T17:02:42.310118109Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3781.yaml b/data/reports/GO-2025-3781.yaml
new file mode 100644
index 0000000..ece67d4
--- /dev/null
+++ b/data/reports/GO-2025-3781.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3781
+modules:
+ - module: github.com/lxc/incus
+ vulnerable_at: 0.7.0
+ - module: github.com/lxc/incus/v6
+ versions:
+ - introduced: 6.12.0
+ - fixed: 6.14.0
+ vulnerable_at: 6.13.0
+summary: |-
+ Incus Allocation of Resources Without Limits allows firewall rule bypass on
+ managed bridge networks in github.com/lxc/incus
+cves:
+ - CVE-2025-52889
+ghsas:
+ - GHSA-9q7c-qmhm-jv86
+references:
+ - advisory: https://github.com/lxc/incus/security/advisories/GHSA-9q7c-qmhm-jv86
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52889
+ - fix: https://github.com/lxc/incus/commit/2516fb19ad8428454cb4edfe70c0a5f0dc1da214
+ - fix: https://github.com/lxc/incus/commit/a7c33301738aede3c035063e973b1d885d9bac7c
+source:
+ id: GHSA-9q7c-qmhm-jv86
+ created: 2025-07-21T17:02:31.231287465Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3782.yaml b/data/reports/GO-2025-3782.yaml
new file mode 100644
index 0000000..7683aae
--- /dev/null
+++ b/data/reports/GO-2025-3782.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3782
+modules:
+ - module: github.com/lxc/incus
+ vulnerable_at: 0.7.0
+ - module: github.com/lxc/incus/v6
+ versions:
+ - introduced: 6.12.0
+ - fixed: 6.14.0
+ vulnerable_at: 6.13.0
+summary: Incus creates nftables rules that partially bypass security options in github.com/lxc/incus
+cves:
+ - CVE-2025-52890
+ghsas:
+ - GHSA-p7fw-vjjm-2rwp
+references:
+ - advisory: https://github.com/lxc/incus/security/advisories/GHSA-p7fw-vjjm-2rwp
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52890
+ - fix: https://github.com/lxc/incus/commit/254dfd2483ab8de39b47c2258b7f1cf0759231c8
+source:
+ id: GHSA-p7fw-vjjm-2rwp
+ created: 2025-07-21T16:58:21.454497987Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3783.yaml b/data/reports/GO-2025-3783.yaml
new file mode 100644
index 0000000..be2fd67
--- /dev/null
+++ b/data/reports/GO-2025-3783.yaml
@@ -0,0 +1,28 @@
+id: GO-2025-3783
+modules:
+ - module: github.com/openbao/openbao/api
+ vulnerable_at: 1.12.2
+ - module: github.com/openbao/openbao/api/v2
+ versions:
+ - fixed: 2.3.1
+ non_go_versions:
+ - introduced: 2.2.2
+ vulnerable_at: 2.3.0
+summary: |-
+ OpenBao allows cancellation of root rekey and recovery rekey operations without
+ authentication in github.com/openbao/openbao/api
+cves:
+ - CVE-2025-52894
+ghsas:
+ - GHSA-prpj-rchp-9j5h
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52894
+ - web: https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b
+ - web: https://github.com/openbao/openbao/releases/tag/v2.3.1
+ - web: https://openbao.org/docs/deprecation
+ - web: https://openbao.org/docs/deprecation/unauthed-rekey
+source:
+ id: GHSA-prpj-rchp-9j5h
+ created: 2025-07-21T16:58:14.920746363Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3784.yaml b/data/reports/GO-2025-3784.yaml
new file mode 100644
index 0000000..5765ade
--- /dev/null
+++ b/data/reports/GO-2025-3784.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3784
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ versions:
+ - fixed: 2.33.7
+ vulnerable_at: 2.33.6
+summary: |-
+ filebrowser allows Stored Cross-Site Scripting through the Markdown preview
+ function in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-52902
+ghsas:
+ - GHSA-4wx8-5gm2-2j97
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52902
+ - fix: https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d
+source:
+ id: GHSA-4wx8-5gm2-2j97
+ created: 2025-07-21T16:58:10.788066772Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3785.yaml b/data/reports/GO-2025-3785.yaml
new file mode 100644
index 0000000..b17127a
--- /dev/null
+++ b/data/reports/GO-2025-3785.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3785
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ versions:
+ - fixed: 2.33.7
+ vulnerable_at: 2.33.6
+summary: filebrowser Sets Insecure File Permissions in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-52900
+ghsas:
+ - GHSA-jj2r-455p-5gvf
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52900
+ - fix: https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76
+source:
+ id: GHSA-jj2r-455p-5gvf
+ created: 2025-07-21T16:58:06.165948839Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3786.yaml b/data/reports/GO-2025-3786.yaml
new file mode 100644
index 0000000..90d44f6
--- /dev/null
+++ b/data/reports/GO-2025-3786.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3786
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ versions:
+ - fixed: 2.33.10
+ vulnerable_at: 2.33.9
+summary: filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-52903
+ghsas:
+ - GHSA-3q2w-42mv-cph4
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52903
+ - fix: https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108
+ - report: https://github.com/filebrowser/filebrowser/issues/5199
+source:
+ id: GHSA-3q2w-42mv-cph4
+ created: 2025-07-21T16:58:00.834039045Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3788.yaml b/data/reports/GO-2025-3788.yaml
new file mode 100644
index 0000000..c3eba6d
--- /dev/null
+++ b/data/reports/GO-2025-3788.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3788
+modules:
+ - module: github.com/hashicorp/vault
+ versions:
+ - introduced: 1.14.8
+ - fixed: 1.20.0
+ vulnerable_at: 1.20.0-rc2
+summary: |-
+ Vault Community Edition rekey and recovery key operations can cause denial of
+ service in github.com/hashicorp/vault
+cves:
+ - CVE-2025-4656
+ghsas:
+ - GHSA-fhc2-8qx8-6vj7
+references:
+ - advisory: https://github.com/advisories/GHSA-fhc2-8qx8-6vj7
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4656
+ - fix: https://github.com/hashicorp/vault/pull/30794
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-11-vault-vulnerable-to-recovery-key-cancellation-denial-of-service/75570
+source:
+ id: GHSA-fhc2-8qx8-6vj7
+ created: 2025-07-21T16:57:54.157906156Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3789.yaml b/data/reports/GO-2025-3789.yaml
new file mode 100644
index 0000000..68b7e14
--- /dev/null
+++ b/data/reports/GO-2025-3789.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3789
+modules:
+ - module: github.com/snyk/go-application-framework
+ vulnerable_at: 0.0.1
+summary: |-
+ Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or
+ DEBUG/TRACE mode in github.com/snyk/go-application-framework
+cves:
+ - CVE-2025-6624
+ghsas:
+ - GHSA-6hwc-9h8r-3vmf
+references:
+ - advisory: https://github.com/advisories/GHSA-6hwc-9h8r-3vmf
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6624
+ - fix: https://github.com/snyk/go-application-framework/commit/ca7ba7d72e68455afb466a7a47bb2c9aece86c18
+ - web: https://docs.snyk.io/snyk-cli/debugging-the-snyk-cli
+ - web: https://github.com/snyk
+ - web: https://github.com/snyk/cli/commit/38322f377da7e5f1391e1f641710be50989fa4df
+ - web: https://github.com/snyk/cli/releases/tag/v1.1297.3
+ - web: https://security.snyk.io/vuln/SNYK-JS-SNYK-10497607
+source:
+ id: GHSA-6hwc-9h8r-3vmf
+ created: 2025-07-21T16:57:47.27061162Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3790.yaml b/data/reports/GO-2025-3790.yaml
new file mode 100644
index 0000000..3561d63
--- /dev/null
+++ b/data/reports/GO-2025-3790.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3790
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ unsupported_versions:
+ - last_affected: 2.35.0
+ vulnerable_at: 2.40.2
+summary: File Browser's password protection of links is bypassable in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-52996
+ghsas:
+ - GHSA-3v48-283x-f2w4
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52996
+ - report: https://github.com/filebrowser/filebrowser/issues/5239
+source:
+ id: GHSA-3v48-283x-f2w4
+ created: 2025-07-21T16:57:42.657022448Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3791.yaml b/data/reports/GO-2025-3791.yaml
new file mode 100644
index 0000000..9e68ee0
--- /dev/null
+++ b/data/reports/GO-2025-3791.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3791
+modules:
+ - module: github.com/babylonlabs-io/babylon
+ vulnerable_at: 1.1.0
+ - module: github.com/babylonlabs-io/babylon/v2
+ versions:
+ - fixed: 2.2.0
+ vulnerable_at: 2.1.0
+summary: Babylon vulnerable to chain half when transaction has fees different than `ubbn` in github.com/babylonlabs-io/babylon
+ghsas:
+ - GHSA-56j4-446m-qrf6
+references:
+ - advisory: https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-56j4-446m-qrf6
+ - fix: https://github.com/babylonlabs-io/babylon/commit/fe67aebd5216e7d3afa1d7dee2a3f82e548556f3
+ - web: https://github.com/cosmos/cosmos-sdk/blob/main/x/distribution/keeper/allocation.go#L28
+source:
+ id: GHSA-56j4-446m-qrf6
+ created: 2025-07-21T16:57:39.704119084Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3792.yaml b/data/reports/GO-2025-3792.yaml
new file mode 100644
index 0000000..ffec102
--- /dev/null
+++ b/data/reports/GO-2025-3792.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3792
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ versions:
+ - fixed: 2.34.1
+ vulnerable_at: 2.34.0
+summary: File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-52997
+ghsas:
+ - GHSA-cm2r-rg7r-p7gg
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-cm2r-rg7r-p7gg
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52997
+ - fix: https://github.com/filebrowser/filebrowser/commit/bf37f88c32222ad9c186482bb97338a9c9b4a93c
+source:
+ id: GHSA-cm2r-rg7r-p7gg
+ created: 2025-07-21T16:57:35.887689415Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3793.yaml b/data/reports/GO-2025-3793.yaml
new file mode 100644
index 0000000..c2d98ef
--- /dev/null
+++ b/data/reports/GO-2025-3793.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3793
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ unsupported_versions:
+ - last_affected: 2.35.0
+ vulnerable_at: 2.40.2
+summary: 'File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser'
+cves:
+ - CVE-2025-52904
+ghsas:
+ - GHSA-hc8f-m8g5-8362
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52904
+ - report: https://github.com/filebrowser/filebrowser/issues/5199
+ - web: https://github.com/GoogleContainerTools/distroless
+ - web: https://sloonz.github.io/posts/sandboxing-1
+source:
+ id: GHSA-hc8f-m8g5-8362
+ created: 2025-07-21T16:57:30.595122711Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3794.yaml b/data/reports/GO-2025-3794.yaml
new file mode 100644
index 0000000..1c25e52
--- /dev/null
+++ b/data/reports/GO-2025-3794.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3794
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ versions:
+ - fixed: 2.33.9
+ vulnerable_at: 2.33.8
+summary: File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-52901
+ghsas:
+ - GHSA-rmwh-g367-mj4x
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-rmwh-g367-mj4x
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52901
+ - fix: https://github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b41289484df7c27b2
+ - web: https://github.com/filebrowser/filebrowser/releases/tag/v2.33.9
+source:
+ id: GHSA-rmwh-g367-mj4x
+ created: 2025-07-21T16:57:25.996506512Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3795.yaml b/data/reports/GO-2025-3795.yaml
new file mode 100644
index 0000000..7aee0ae
--- /dev/null
+++ b/data/reports/GO-2025-3795.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3795
+modules:
+ - module: github.com/filebrowser/filebrowser
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ versions:
+ - fixed: 2.33.10
+ vulnerable_at: 2.33.9
+summary: File Browser vulnerable to command execution allowlist bypass in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-52995
+ghsas:
+ - GHSA-w7qc-6grj-w7r8
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-w7qc-6grj-w7r8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52995
+ - fix: https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108
+ - web: https://github.com/filebrowser/filebrowser/releases/tag/v2.33.10
+source:
+ id: GHSA-w7qc-6grj-w7r8
+ created: 2025-07-21T16:57:20.348334201Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3796.yaml b/data/reports/GO-2025-3796.yaml
new file mode 100644
index 0000000..82e15a7
--- /dev/null
+++ b/data/reports/GO-2025-3796.yaml
@@ -0,0 +1,40 @@
+id: GO-2025-3796
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 0.0.0-20250513065225-4ae5d647fb88
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.16+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.6+incompatible
+ - introduced: 10.6.0+incompatible
+ - fixed: 10.6.6+incompatible
+ - introduced: 10.7.0+incompatible
+ - fixed: 10.7.3+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.1+incompatible
+ vulnerable_at: 10.8.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250513065225-4ae5d647fb88
+summary: Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-46702
+ghsas:
+ - GHSA-v8fr-vxmw-6mf6
+references:
+ - advisory: https://github.com/advisories/GHSA-v8fr-vxmw-6mf6
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-46702
+ - web: https://github.com/mattermost/mattermost/commit/31142f101e3cce6171e2b6cb4980a1aa8eaefae0
+ - web: https://github.com/mattermost/mattermost/commit/4ae5d647fb8893d77dccbb57d114855939a775ce
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-v8fr-vxmw-6mf6
+ created: 2025-07-21T16:57:15.622284772Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3797.yaml b/data/reports/GO-2025-3797.yaml
new file mode 100644
index 0000000..921ba29
--- /dev/null
+++ b/data/reports/GO-2025-3797.yaml
@@ -0,0 +1,38 @@
+id: GO-2025-3797
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 0.0.0-20250513065225-4ae5d647fb88
+ - introduced: 9.11.0+incompatible
+ - fixed: 9.11.16+incompatible
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.6+incompatible
+ - introduced: 10.6.0+incompatible
+ - fixed: 10.6.6+incompatible
+ - introduced: 10.7.0+incompatible
+ - fixed: 10.7.3+incompatible
+ - introduced: 10.8.0+incompatible
+ - fixed: 10.8.1+incompatible
+ vulnerable_at: 10.8.0+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250513065225-4ae5d647fb88
+summary: Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-47871
+ghsas:
+ - GHSA-wgvp-jj4w-88hf
+references:
+ - advisory: https://github.com/advisories/GHSA-wgvp-jj4w-88hf
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47871
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-wgvp-jj4w-88hf
+ created: 2025-07-21T16:55:34.702509388Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3799.yaml b/data/reports/GO-2025-3799.yaml
new file mode 100644
index 0000000..70945b5
--- /dev/null
+++ b/data/reports/GO-2025-3799.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3799
+modules:
+ - module: github.com/lf-edge/ekuiper
+ unsupported_versions:
+ - last_affected: 1.14.7
+ vulnerable_at: 1.14.7
+ - module: github.com/lf-edge/ekuiper/v2
+ versions:
+ - fixed: 2.2.0
+ vulnerable_at: 2.2.0-beta.1
+summary: LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement in github.com/lf-edge/ekuiper
+ghsas:
+ - GHSA-fv2p-qj5p-wqq4
+references:
+ - advisory: https://github.com/lf-edge/ekuiper/security/advisories/GHSA-fv2p-qj5p-wqq4
+ - web: https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359
+source:
+ id: GHSA-fv2p-qj5p-wqq4
+ created: 2025-07-21T16:55:24.565657523Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3800.yaml b/data/reports/GO-2025-3800.yaml
new file mode 100644
index 0000000..038e5b7
--- /dev/null
+++ b/data/reports/GO-2025-3800.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3800
+modules:
+ - module: github.com/lf-edge/ekuiper
+ unsupported_versions:
+ - last_affected: 1.14.7
+ vulnerable_at: 1.14.7
+ - module: github.com/lf-edge/ekuiper/v2
+ versions:
+ - fixed: 2.2.0
+ vulnerable_at: 2.2.0-beta.1
+summary: eKuiper /config/uploads API arbitrary file writing may lead to RCE in github.com/lf-edge/ekuiper
+ghsas:
+ - GHSA-gj54-gwj9-x2c6
+references:
+ - advisory: https://github.com/lf-edge/ekuiper/security/advisories/GHSA-gj54-gwj9-x2c6
+source:
+ id: GHSA-gj54-gwj9-x2c6
+ created: 2025-07-21T16:55:23.495524634Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3801.yaml b/data/reports/GO-2025-3801.yaml
new file mode 100644
index 0000000..e554ce7
--- /dev/null
+++ b/data/reports/GO-2025-3801.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3801
+modules:
+ - module: github.com/babylonlabs-io/babylon
+ vulnerable_at: 1.1.0
+ - module: github.com/babylonlabs-io/babylon/v2
+ versions:
+ - introduced: 2.0.0
+ - fixed: 2.1.0
+ vulnerable_at: 2.0.0
+summary: |-
+ Babylon vulnerable to chain halt when a message modifies the validator set at
+ the epoch boundary in github.com/babylonlabs-io/babylon
+ghsas:
+ - GHSA-rj53-j6jw-7f7g
+references:
+ - advisory: https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-rj53-j6jw-7f7g
+ - fix: https://github.com/babylonlabs-io/babylon/pull/1244/files
+ - web: https://boiling-lake-106.notion.site/2025-06-18-Babylon-Genesis-Chain-Halt-Post-Mortem-229f60cc1b5f80b7adf5e3ea0541ea87
+ - web: https://github.com/babylonlabs-io/babylon/releases/tag/v2.1.0
+source:
+ id: GHSA-rj53-j6jw-7f7g
+ created: 2025-07-21T16:55:20.353185789Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3804.yaml b/data/reports/GO-2025-3804.yaml
new file mode 100644
index 0000000..8d93034
--- /dev/null
+++ b/data/reports/GO-2025-3804.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3804
+modules:
+ - module: github.com/juju/juju
+ versions:
+ - fixed: 0.0.0-20250619215741-6356e984b82a
+summary: Juju zip slip vulnerability via authenticated endpoint in github.com/juju/juju
+cves:
+ - CVE-2025-53513
+ghsas:
+ - GHSA-24ch-w38v-xmh8
+references:
+ - advisory: https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53513
+ - fix: https://github.com/juju/juju/commit/6356e984b82a4a7b9771ff5e51e297ad62f3b405
+ - fix: https://github.com/juju/juju/commit/ff39557a137c0e95d4cd3553b0f19c859c6f5d8e
+ - web: https://drive.google.com/file/d/1pHRNiaA8LyMVJYwIyTqelsqJ9FmImDf0/view
+ - web: https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L754
+ - web: https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L897
+ - web: https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L990
+notes:
+ - fix: 'github.com/juju/juju: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-24ch-w38v-xmh8
+ created: 2025-07-21T16:55:10.919538662Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3805.yaml b/data/reports/GO-2025-3805.yaml
new file mode 100644
index 0000000..c231295
--- /dev/null
+++ b/data/reports/GO-2025-3805.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3805
+modules:
+ - module: github.com/juju/juju
+ non_go_versions:
+ - fixed: 0.0.0-20250619215741-4034aa13c7cf
+ vulnerable_at: 0.0.0-20250718163602-b0f4af937d12
+summary: |-
+ Juju allows arbitrary executable uploads via authenticated endpoint without
+ authorization in github.com/juju/juju
+cves:
+ - CVE-2025-0928
+ghsas:
+ - GHSA-4vc8-wvhw-m5gv
+references:
+ - advisory: https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-0928
+ - fix: https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e
+ - fix: https://github.com/juju/juju/commit/311e374cb8d2431032c51fb3fb5c4b0aaaa7196c
+ - fix: https://github.com/juju/juju/commit/4034aa13c7cf5a37427fcd032925d5d21955b096
+ - fix: https://github.com/juju/juju/commit/b4176e6e45c2c3c817ab60b39e2d52f9a11a5ddf
+source:
+ id: GHSA-4vc8-wvhw-m5gv
+ created: 2025-07-21T16:54:06.149066128Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3806.yaml b/data/reports/GO-2025-3806.yaml
new file mode 100644
index 0000000..be1342a
--- /dev/null
+++ b/data/reports/GO-2025-3806.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3806
+modules:
+ - module: github.com/juju/juju
+ versions:
+ - fixed: 0.0.0-20250619024904-402ff008dcc2
+summary: |-
+ Juju vulnerable to sensitive log retrieval via authenticated endpoint without
+ authorization in github.com/juju/juju
+cves:
+ - CVE-2025-53512
+ghsas:
+ - GHSA-r64v-82fh-xc63
+references:
+ - advisory: https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53512
+ - fix: https://github.com/juju/juju/commit/402ff008dcc2cb57f4441968628637efb5c2a662
+ - fix: https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3
+notes:
+ - fix: 'github.com/juju/juju: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-r64v-82fh-xc63
+ created: 2025-07-21T16:54:00.467647347Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3807.yaml b/data/reports/GO-2025-3807.yaml
new file mode 100644
index 0000000..b155fbf
--- /dev/null
+++ b/data/reports/GO-2025-3807.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-3807
+modules:
+ - module: github.com/edgelesssys/contrast
+ versions:
+ - fixed: 1.9.1
+ vulnerable_at: 1.9.0
+summary: |-
+ Contrast vulnerability allows arbitrary host data Injection into container
+ VOLUME mount points in github.com/edgelesssys/contrast
+ghsas:
+ - GHSA-phhq-63jg-fp7r
+references:
+ - advisory: https://github.com/edgelesssys/contrast/security/advisories/GHSA-phhq-63jg-fp7r
+ - fix: https://github.com/edgelesssys/contrast/commit/635b471ddbb512b6661e6f1d767aab818bd50bda
+ - web: https://github.com/edgelesssys/contrast/releases/tag/v1.9.1
+source:
+ id: GHSA-phhq-63jg-fp7r
+ created: 2025-07-21T16:53:56.528055016Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3808.yaml b/data/reports/GO-2025-3808.yaml
new file mode 100644
index 0000000..4a52721
--- /dev/null
+++ b/data/reports/GO-2025-3808.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3808
+modules:
+ - module: github.com/ctfer-io/chall-manager
+ versions:
+ - fixed: 0.1.4
+ vulnerable_at: 0.1.3
+summary: |-
+ Chall-Manager is vulnerable to Path Traversal when extracting/decoding a zip
+ archive in github.com/ctfer-io/chall-manager
+cves:
+ - CVE-2025-53632
+ghsas:
+ - GHSA-3gv2-v3jx-r9fh
+references:
+ - advisory: https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-3gv2-v3jx-r9fh
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53632
+ - fix: https://github.com/ctfer-io/chall-manager/commit/47d188fda5e3f86285e820f12ad9fb6f9930662c
+ - web: https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4
+source:
+ id: GHSA-3gv2-v3jx-r9fh
+ created: 2025-07-21T16:53:53.153059888Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3809.yaml b/data/reports/GO-2025-3809.yaml
new file mode 100644
index 0000000..b723a32
--- /dev/null
+++ b/data/reports/GO-2025-3809.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3809
+modules:
+ - module: github.com/ctfer-io/chall-manager
+ versions:
+ - fixed: 0.1.4
+ vulnerable_at: 0.1.3
+summary: Chall-Manager's HTTP Gateway is vulnerable to DoS due to missing header timeout in github.com/ctfer-io/chall-manager
+cves:
+ - CVE-2025-53634
+ghsas:
+ - GHSA-ggmv-j932-q89q
+references:
+ - advisory: https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-ggmv-j932-q89q
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53634
+ - fix: https://github.com/ctfer-io/chall-manager/commit/1385bd869142651146cd0b123085f91cec698636
+ - web: https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4
+source:
+ id: GHSA-ggmv-j932-q89q
+ created: 2025-07-21T16:53:49.049597797Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3810.yaml b/data/reports/GO-2025-3810.yaml
new file mode 100644
index 0000000..e382607
--- /dev/null
+++ b/data/reports/GO-2025-3810.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3810
+modules:
+ - module: github.com/ctfer-io/chall-manager
+ versions:
+ - fixed: 0.1.4
+ vulnerable_at: 0.1.3
+summary: Chall-Manager's scenario decoding process does not check for zip bombs in github.com/ctfer-io/chall-manager
+cves:
+ - CVE-2025-53633
+ghsas:
+ - GHSA-r7fm-3pqm-ww5w
+references:
+ - advisory: https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-r7fm-3pqm-ww5w
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53633
+ - fix: https://github.com/ctfer-io/chall-manager/commit/14042aa66a577caee777e10fe09adcf2587d20dd
+ - web: https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4
+source:
+ id: GHSA-r7fm-3pqm-ww5w
+ created: 2025-07-21T16:53:42.990169348Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3811.yaml b/data/reports/GO-2025-3811.yaml
new file mode 100644
index 0000000..7ffd0c6
--- /dev/null
+++ b/data/reports/GO-2025-3811.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3811
+modules:
+ - module: github.com/filebrowser/filebrowser
+ versions:
+ - introduced: 1.0.0
+ unsupported_versions:
+ - last_affected: 1.11.0
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ versions:
+ - introduced: 2.0.0-rc.1
+ vulnerable_at: 2.40.2
+summary: |-
+ File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS
+ attack due to oversized file processing in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-53893
+ghsas:
+ - GHSA-7xqm-7738-642x
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xqm-7738-642x
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53893
+ - report: https://github.com/filebrowser/filebrowser/issues/5294
+source:
+ id: GHSA-7xqm-7738-642x
+ created: 2025-07-21T16:53:37.245748513Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3812.yaml b/data/reports/GO-2025-3812.yaml
new file mode 100644
index 0000000..710dc98
--- /dev/null
+++ b/data/reports/GO-2025-3812.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-3812
+modules:
+ - module: github.com/filebrowser/filebrowser
+ vulnerable_at: 1.11.0
+ - module: github.com/filebrowser/filebrowser/v2
+ unsupported_versions:
+ - last_affected: 2.39.0
+ vulnerable_at: 2.40.2
+summary: |-
+ File Browser’s insecure JWT handling can lead to session replay attacks after
+ logout in github.com/filebrowser/filebrowser
+cves:
+ - CVE-2025-53826
+ghsas:
+ - GHSA-7xwp-2cpp-p8r7
+references:
+ - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53826
+ - report: https://github.com/filebrowser/filebrowser/issues/5216
+source:
+ id: GHSA-7xwp-2cpp-p8r7
+ created: 2025-07-21T16:53:32.370366112Z
+review_status: UNREVIEWED
