data/reports: add 8 reports

  - data/reports/GO-2025-3852.yaml
  - data/reports/GO-2025-3853.yaml
  - data/reports/GO-2025-3854.yaml
  - data/reports/GO-2025-3855.yaml
  - data/reports/GO-2025-3856.yaml
  - data/reports/GO-2025-3857.yaml
  - data/reports/GO-2025-3858.yaml
  - data/reports/GO-2025-3859.yaml

Fixes golang/vulndb#3852
Fixes golang/vulndb#3853
Fixes golang/vulndb#3854
Fixes golang/vulndb#3855
Fixes golang/vulndb#3856
Fixes golang/vulndb#3857
Fixes golang/vulndb#3858
Fixes golang/vulndb#3859

Change-Id: Iab7bbaaaecf743c277e97af69a54d8f4b1335cae
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/694855
Auto-Submit: Ethan Lee <ethanalee@google.com>
Reviewed-by: Markus Kusano <kusano@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2025-3852.json b/data/osv/GO-2025-3852.json
new file mode 100644
index 0000000..ebf7094
--- /dev/null
+++ b/data/osv/GO-2025-3852.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3852",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-7195",
+    "GHSA-856v-8qm2-9wjv"
+  ],
+  "summary": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd in github.com/operator-framework/operator-sdk",
+  "details": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd in github.com/operator-framework/operator-sdk",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/operator-framework/operator-sdk",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.15.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-856v-8qm2-9wjv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3852",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3853.json b/data/osv/GO-2025-3853.json
new file mode 100644
index 0000000..269fd56
--- /dev/null
+++ b/data/osv/GO-2025-3853.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3853",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-55000",
+    "GHSA-f7c3-mhj2-9pvg"
+  ],
+  "summary": "OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao",
+  "details": "OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openbao/openbao",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250806193153-183891f8d535"
+            },
+            {
+              "introduced": "0.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.3.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55000"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6014"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3853",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3854.json b/data/osv/GO-2025-3854.json
new file mode 100644
index 0000000..49fb11d
--- /dev/null
+++ b/data/osv/GO-2025-3854.json
@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3854",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54999",
+    "GHSA-hh28-h22f-8357"
+  ],
+  "summary": "OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao",
+  "details": "OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openbao/openbao",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250806193356-4d9b5d3d6486"
+            },
+            {
+              "introduced": "0.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.3.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54999"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6011"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3854",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3855.json b/data/osv/GO-2025-3855.json
new file mode 100644
index 0000000..ec4aa5a
--- /dev/null
+++ b/data/osv/GO-2025-3855.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3855",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54998",
+    "GHSA-j3xv-7fxp-gfhx"
+  ],
+  "summary": "OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao",
+  "details": "OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openbao/openbao",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250807212521-c52795c1ef74"
+            },
+            {
+              "introduced": "0.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.3.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54998"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6004"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3855",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3856.json b/data/osv/GO-2025-3856.json
new file mode 100644
index 0000000..1a3bd5a
--- /dev/null
+++ b/data/osv/GO-2025-3856.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3856",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-55003",
+    "GHSA-rxp7-9q75-vj3p"
+  ],
+  "summary": "OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao",
+  "details": "OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openbao/openbao",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250807113757-8340a6918f6c"
+            },
+            {
+              "introduced": "0.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.3.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55003"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6015"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3856",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3857.json b/data/osv/GO-2025-3857.json
new file mode 100644
index 0000000..df81dcd
--- /dev/null
+++ b/data/osv/GO-2025-3857.json
@@ -0,0 +1,85 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3857",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54996",
+    "GHSA-vf84-mxrq-crqc"
+  ],
+  "summary": "OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao",
+  "details": "OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openbao/openbao",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250806193240-9b0b5d4f345f"
+            },
+            {
+              "introduced": "0.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.3.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54996"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/cve-2025-5999"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/pull/1627"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3857",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3858.json b/data/osv/GO-2025-3858.json
new file mode 100644
index 0000000..83e89e4
--- /dev/null
+++ b/data/osv/GO-2025-3858.json
@@ -0,0 +1,85 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3858",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54997",
+    "GHSA-xp75-r577-cvhp"
+  ],
+  "summary": "Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao",
+  "details": "Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openbao/openbao",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250806194004-a14053c9679d"
+            },
+            {
+              "introduced": "0.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.3.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54997"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/commit/a14053c9679d6e9cf370f00cf933476cda6d84a2"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/pull/1634"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6000"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3858",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3859.json b/data/osv/GO-2025-3859.json
new file mode 100644
index 0000000..bf1bc6f
--- /dev/null
+++ b/data/osv/GO-2025-3859.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3859",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-55001",
+    "GHSA-2q8q-8fgw-9p6p"
+  ],
+  "summary": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao",
+  "details": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/openbao/openbao",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20250807212521-c52795c1ef74"
+            },
+            {
+              "introduced": "0.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.3.2"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55001"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6013"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3859",
+    "review_status": "UNREVIEWED"
+  }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3852.yaml b/data/reports/GO-2025-3852.yaml
new file mode 100644
index 0000000..e71d35a
--- /dev/null
+++ b/data/reports/GO-2025-3852.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3852
+modules:
+    - module: github.com/operator-framework/operator-sdk
+      versions:
+        - fixed: 0.15.2
+      vulnerable_at: 0.15.1
+summary: 'operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd in github.com/operator-framework/operator-sdk'
+cves:
+    - CVE-2025-7195
+ghsas:
+    - GHSA-856v-8qm2-9wjv
+references:
+    - advisory: https://github.com/advisories/GHSA-856v-8qm2-9wjv
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-7195
+    - web: https://access.redhat.com/security/cve/CVE-2025-7195
+    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2376300
+source:
+    id: GHSA-856v-8qm2-9wjv
+    created: 2025-08-11T17:47:55.07967159Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3853.yaml b/data/reports/GO-2025-3853.yaml
new file mode 100644
index 0000000..80db5f6
--- /dev/null
+++ b/data/reports/GO-2025-3853.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3853
+modules:
+    - module: github.com/openbao/openbao
+      versions:
+        - fixed: 0.0.0-20250806193153-183891f8d535
+        - introduced: 0.1.0
+      non_go_versions:
+        - fixed: 2.3.2
+summary: OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
+cves:
+    - CVE-2025-55000
+ghsas:
+    - GHSA-f7c3-mhj2-9pvg
+references:
+    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55000
+    - fix: https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
+    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6014
+notes:
+    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+    id: GHSA-f7c3-mhj2-9pvg
+    created: 2025-08-11T17:47:50.552468148Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3854.yaml b/data/reports/GO-2025-3854.yaml
new file mode 100644
index 0000000..14267ac
--- /dev/null
+++ b/data/reports/GO-2025-3854.yaml
@@ -0,0 +1,26 @@
+id: GO-2025-3854
+modules:
+    - module: github.com/openbao/openbao
+      versions:
+        - fixed: 0.0.0-20250806193356-4d9b5d3d6486
+        - introduced: 0.1.0
+      non_go_versions:
+        - fixed: 2.3.2
+summary: OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao
+cves:
+    - CVE-2025-54999
+ghsas:
+    - GHSA-hh28-h22f-8357
+references:
+    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54999
+    - fix: https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
+    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6011
+notes:
+    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+    id: GHSA-hh28-h22f-8357
+    created: 2025-08-11T17:47:45.322448242Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3855.yaml b/data/reports/GO-2025-3855.yaml
new file mode 100644
index 0000000..1b8c3f9
--- /dev/null
+++ b/data/reports/GO-2025-3855.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3855
+modules:
+    - module: github.com/openbao/openbao
+      versions:
+        - fixed: 0.0.0-20250807212521-c52795c1ef74
+        - introduced: 0.1.0
+      non_go_versions:
+        - fixed: 2.3.2
+summary: OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao
+cves:
+    - CVE-2025-54998
+ghsas:
+    - GHSA-j3xv-7fxp-gfhx
+references:
+    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54998
+    - fix: https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035
+    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6004
+notes:
+    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+    id: GHSA-j3xv-7fxp-gfhx
+    created: 2025-08-11T17:47:40.561780898Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3856.yaml b/data/reports/GO-2025-3856.yaml
new file mode 100644
index 0000000..ca09da2
--- /dev/null
+++ b/data/reports/GO-2025-3856.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3856
+modules:
+    - module: github.com/openbao/openbao
+      versions:
+        - fixed: 0.0.0-20250807113757-8340a6918f6c
+        - introduced: 0.1.0
+      non_go_versions:
+        - fixed: 2.3.2
+summary: OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao
+cves:
+    - CVE-2025-55003
+ghsas:
+    - GHSA-rxp7-9q75-vj3p
+references:
+    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55003
+    - fix: https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
+    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6015
+notes:
+    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+    id: GHSA-rxp7-9q75-vj3p
+    created: 2025-08-11T17:47:35.965536488Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3857.yaml b/data/reports/GO-2025-3857.yaml
new file mode 100644
index 0000000..ecfce48
--- /dev/null
+++ b/data/reports/GO-2025-3857.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3857
+modules:
+    - module: github.com/openbao/openbao
+      versions:
+        - fixed: 0.0.0-20250806193240-9b0b5d4f345f
+        - introduced: 0.1.0
+      non_go_versions:
+        - fixed: 2.3.2
+summary: OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao
+cves:
+    - CVE-2025-54996
+ghsas:
+    - GHSA-vf84-mxrq-crqc
+references:
+    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54996
+    - advisory: https://nvd.nist.gov/vuln/detail/cve-2025-5999
+    - fix: https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f
+    - fix: https://github.com/openbao/openbao/pull/1627
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032
+    - web: https://github.com/openbao/openbao/releases/tag/v2.3.2
+notes:
+    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+    id: GHSA-vf84-mxrq-crqc
+    created: 2025-08-11T17:47:30.585357319Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3858.yaml b/data/reports/GO-2025-3858.yaml
new file mode 100644
index 0000000..2b49a59
--- /dev/null
+++ b/data/reports/GO-2025-3858.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3858
+modules:
+    - module: github.com/openbao/openbao
+      versions:
+        - fixed: 0.0.0-20250806194004-a14053c9679d
+        - introduced: 0.1.0
+      non_go_versions:
+        - fixed: 2.3.2
+summary: Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao
+cves:
+    - CVE-2025-54997
+ghsas:
+    - GHSA-xp75-r577-cvhp
+references:
+    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54997
+    - fix: https://github.com/openbao/openbao/commit/a14053c9679d6e9cf370f00cf933476cda6d84a2
+    - fix: https://github.com/openbao/openbao/pull/1634
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
+    - web: https://github.com/openbao/openbao/releases/tag/v2.3.2
+    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6000
+notes:
+    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+    id: GHSA-xp75-r577-cvhp
+    created: 2025-08-11T17:47:24.548515944Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3859.yaml b/data/reports/GO-2025-3859.yaml
new file mode 100644
index 0000000..97e0181
--- /dev/null
+++ b/data/reports/GO-2025-3859.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3859
+modules:
+    - module: github.com/openbao/openbao
+      versions:
+        - fixed: 0.0.0-20250807212521-c52795c1ef74
+        - introduced: 0.1.0
+      non_go_versions:
+        - fixed: 2.3.2
+summary: OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao
+cves:
+    - CVE-2025-55001
+ghsas:
+    - GHSA-2q8q-8fgw-9p6p
+references:
+    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55001
+    - fix: https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc
+    - web: https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
+    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6013
+notes:
+    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+    id: GHSA-2q8q-8fgw-9p6p
+    created: 2025-08-11T17:47:18.965594499Z
+review_status: UNREVIEWED