data/reports: add 5 reports
- data/reports/GO-2025-3726.yaml
- data/reports/GO-2025-3733.yaml
- data/reports/GO-2025-3734.yaml
- data/reports/GO-2025-3736.yaml
- data/reports/GO-2025-3737.yaml
Fixes golang/vulndb#3726
Fixes golang/vulndb#3733
Fixes golang/vulndb#3734
Fixes golang/vulndb#3736
Fixes golang/vulndb#3737
Change-Id: I2d0413842353ae871b11f80c83c5c40994bb0665
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/678495
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Neal Patel <nealpatel@google.com>
diff --git a/data/osv/GO-2025-3726.json b/data/osv/GO-2025-3726.json
new file mode 100644
index 0000000..cd5b6a8
--- /dev/null
+++ b/data/osv/GO-2025-3726.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3726",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2020-36846"
+ ],
+ "summary": "IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library in github.com/google/brotli",
+ "details": "IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library in github.com/google/brotli",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/google/brotli",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36846"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/google/brotli/pull/826"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/advisories/GHSA-5v8v-66v8-mwm7"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8927"
+ }
+ ],
+ "credits": [
+ {
+ "name": "Robert Rothenberg (RRWO)"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3726",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3733.json b/data/osv/GO-2025-3733.json
new file mode 100644
index 0000000..8d16e60
--- /dev/null
+++ b/data/osv/GO-2025-3733.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3733",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-48948",
+ "GHSA-f238-rggp-82m3"
+ ],
+ "summary": "Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome",
+ "details": "Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/navidrome/navidrome",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.56.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48948"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/navidrome/navidrome/pull/4096"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3733",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3734.json b/data/osv/GO-2025-3734.json
new file mode 100644
index 0000000..d36e373
--- /dev/null
+++ b/data/osv/GO-2025-3734.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3734",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-48949",
+ "GHSA-5wgp-vjxm-3x2r"
+ ],
+ "summary": "Navidrome allows SQL Injection via role parameter in github.com/navidrome/navidrome",
+ "details": "Navidrome allows SQL Injection via role parameter in github.com/navidrome/navidrome",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/navidrome/navidrome",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.55.0"
+ },
+ {
+ "fixed": "0.56.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48949"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3734",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3736.json b/data/osv/GO-2025-3736.json
new file mode 100644
index 0000000..49644e7
--- /dev/null
+++ b/data/osv/GO-2025-3736.json
@@ -0,0 +1,63 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3736",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-48495",
+ "GHSA-4xg4-54hm-9j77"
+ ],
+ "summary": "Gokapi has stored XSS vulnerability in friendly name for API keys in github.com/forceu/gokapi",
+ "details": "Gokapi has stored XSS vulnerability in friendly name for API keys in github.com/forceu/gokapi.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/forceu/gokapi",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.0.0"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48495"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Forceu/Gokapi/commit/65ddbc68fbfdf1c80cadb477f4bcbb7f2c4fdbf8"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3736",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3737.json b/data/osv/GO-2025-3737.json
new file mode 100644
index 0000000..b1a83d4
--- /dev/null
+++ b/data/osv/GO-2025-3737.json
@@ -0,0 +1,67 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3737",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-48494",
+ "GHSA-95rc-wc32-gm53"
+ ],
+ "summary": "Gokapi vulnerable to stored XSS via uploading file with malicious file name in github.com/forceu/gokapi",
+ "details": "Gokapi vulnerable to stored XSS via uploading file with malicious file name in github.com/forceu/gokapi.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/forceu/gokapi",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.0.0"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48494"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.0.0"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3737",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3726.yaml b/data/reports/GO-2025-3726.yaml
new file mode 100644
index 0000000..523c29a
--- /dev/null
+++ b/data/reports/GO-2025-3726.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-3726
+modules:
+ - module: github.com/google/brotli
+ unsupported_versions:
+ - cve_version_range: 'affected from 0 before 0.007 (default: unaffected)'
+ vulnerable_at: 1.1.0
+summary: |-
+ IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow
+ in the bundled Brotli C library in github.com/google/brotli
+cves:
+ - CVE-2020-36846
+credits:
+ - Robert Rothenberg (RRWO)
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-36846
+ - fix: https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6
+ - fix: https://github.com/google/brotli/pull/826
+ - web: https://github.com/advisories/GHSA-5v8v-66v8-mwm7
+ - web: https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2020-8927
+source:
+ id: CVE-2020-36846
+ created: 2025-06-03T13:24:22.322344-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3733.yaml b/data/reports/GO-2025-3733.yaml
new file mode 100644
index 0000000..5426950
--- /dev/null
+++ b/data/reports/GO-2025-3733.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3733
+modules:
+ - module: github.com/navidrome/navidrome
+ versions:
+ - fixed: 0.56.0
+ vulnerable_at: 0.55.2
+summary: Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome
+cves:
+ - CVE-2025-48948
+ghsas:
+ - GHSA-f238-rggp-82m3
+references:
+ - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48948
+ - fix: https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8
+ - fix: https://github.com/navidrome/navidrome/pull/4096
+source:
+ id: GHSA-f238-rggp-82m3
+ created: 2025-06-03T13:21:13.171219-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3734.yaml b/data/reports/GO-2025-3734.yaml
new file mode 100644
index 0000000..fb94c7f
--- /dev/null
+++ b/data/reports/GO-2025-3734.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3734
+modules:
+ - module: github.com/navidrome/navidrome
+ versions:
+ - introduced: 0.55.0
+ - fixed: 0.56.0
+ vulnerable_at: 0.55.2
+summary: Navidrome allows SQL Injection via role parameter in github.com/navidrome/navidrome
+cves:
+ - CVE-2025-48949
+ghsas:
+ - GHSA-5wgp-vjxm-3x2r
+references:
+ - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48949
+ - fix: https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6
+source:
+ id: GHSA-5wgp-vjxm-3x2r
+ created: 2025-06-03T13:21:08.443051-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3736.yaml b/data/reports/GO-2025-3736.yaml
new file mode 100644
index 0000000..ad75525
--- /dev/null
+++ b/data/reports/GO-2025-3736.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3736
+modules:
+ - module: github.com/forceu/gokapi
+ non_go_versions:
+ - fixed: 2.0.0
+ vulnerable_at: 1.9.6
+summary: |-
+ Gokapi has stored XSS vulnerability in friendly name for API keys in
+ github.com/forceu/gokapi
+cves:
+ - CVE-2025-48495
+ghsas:
+ - GHSA-4xg4-54hm-9j77
+references:
+ - advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48495
+ - web: https://github.com/Forceu/Gokapi/commit/65ddbc68fbfdf1c80cadb477f4bcbb7f2c4fdbf8
+source:
+ id: GHSA-4xg4-54hm-9j77
+ created: 2025-06-03T13:21:03.26262-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3737.yaml b/data/reports/GO-2025-3737.yaml
new file mode 100644
index 0000000..71dbe66
--- /dev/null
+++ b/data/reports/GO-2025-3737.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-3737
+modules:
+ - module: github.com/forceu/gokapi
+ non_go_versions:
+ - fixed: 2.0.0
+ vulnerable_at: 1.9.6
+summary: |-
+ Gokapi vulnerable to stored XSS via uploading file with malicious file name in
+ github.com/forceu/gokapi
+cves:
+ - CVE-2025-48494
+ghsas:
+ - GHSA-95rc-wc32-gm53
+references:
+ - advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-48494
+ - web: https://github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0
+ - web: https://github.com/Forceu/Gokapi/releases/tag/v2.0.0
+source:
+ id: GHSA-95rc-wc32-gm53
+ created: 2025-06-03T13:20:57.447384-04:00
+review_status: UNREVIEWED
