data/reports: add 47 UNREVIEWED reports
- data/reports/GO-2025-4026.yaml
- data/reports/GO-2025-4028.yaml
- data/reports/GO-2025-4029.yaml
- data/reports/GO-2025-4030.yaml
- data/reports/GO-2025-4031.yaml
- data/reports/GO-2025-4032.yaml
- data/reports/GO-2025-4033.yaml
- data/reports/GO-2025-4034.yaml
- data/reports/GO-2025-4035.yaml
- data/reports/GO-2025-4036.yaml
- data/reports/GO-2025-4039.yaml
- data/reports/GO-2025-4040.yaml
- data/reports/GO-2025-4041.yaml
- data/reports/GO-2025-4042.yaml
- data/reports/GO-2025-4043.yaml
- data/reports/GO-2025-4045.yaml
- data/reports/GO-2025-4046.yaml
- data/reports/GO-2025-4047.yaml
- data/reports/GO-2025-4048.yaml
- data/reports/GO-2025-4049.yaml
- data/reports/GO-2025-4050.yaml
- data/reports/GO-2025-4051.yaml
- data/reports/GO-2025-4052.yaml
- data/reports/GO-2025-4053.yaml
- data/reports/GO-2025-4054.yaml
- data/reports/GO-2025-4055.yaml
- data/reports/GO-2025-4056.yaml
- data/reports/GO-2025-4057.yaml
- data/reports/GO-2025-4058.yaml
- data/reports/GO-2025-4059.yaml
- data/reports/GO-2025-4060.yaml
- data/reports/GO-2025-4061.yaml
- data/reports/GO-2025-4062.yaml
- data/reports/GO-2025-4063.yaml
- data/reports/GO-2025-4064.yaml
- data/reports/GO-2025-4065.yaml
- data/reports/GO-2025-4066.yaml
- data/reports/GO-2025-4067.yaml
- data/reports/GO-2025-4068.yaml
- data/reports/GO-2025-4070.yaml
- data/reports/GO-2025-4071.yaml
- data/reports/GO-2025-4072.yaml
- data/reports/GO-2025-4073.yaml
- data/reports/GO-2025-4074.yaml
- data/reports/GO-2025-4075.yaml
- data/reports/GO-2025-4076.yaml
- data/reports/GO-2025-4077.yaml
Fixes golang/vulndb#4026
Fixes golang/vulndb#4028
Fixes golang/vulndb#4029
Fixes golang/vulndb#4030
Fixes golang/vulndb#4031
Fixes golang/vulndb#4032
Fixes golang/vulndb#4033
Fixes golang/vulndb#4034
Fixes golang/vulndb#4035
Fixes golang/vulndb#4036
Fixes golang/vulndb#4039
Fixes golang/vulndb#4040
Fixes golang/vulndb#4041
Fixes golang/vulndb#4042
Fixes golang/vulndb#4043
Fixes golang/vulndb#4045
Fixes golang/vulndb#4046
Fixes golang/vulndb#4047
Fixes golang/vulndb#4048
Fixes golang/vulndb#4049
Fixes golang/vulndb#4050
Fixes golang/vulndb#4051
Fixes golang/vulndb#4052
Fixes golang/vulndb#4053
Fixes golang/vulndb#4054
Fixes golang/vulndb#4055
Fixes golang/vulndb#4056
Fixes golang/vulndb#4057
Fixes golang/vulndb#4058
Fixes golang/vulndb#4059
Fixes golang/vulndb#4060
Fixes golang/vulndb#4061
Fixes golang/vulndb#4062
Fixes golang/vulndb#4063
Fixes golang/vulndb#4064
Fixes golang/vulndb#4065
Fixes golang/vulndb#4066
Fixes golang/vulndb#4067
Fixes golang/vulndb#4068
Fixes golang/vulndb#4070
Fixes golang/vulndb#4071
Fixes golang/vulndb#4072
Fixes golang/vulndb#4073
Fixes golang/vulndb#4074
Fixes golang/vulndb#4075
Fixes golang/vulndb#4076
Fixes golang/vulndb#4077
Change-Id: Ibea9f6e3012e2f5d18173c0cc185d5dd8ce07f15
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/715780
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ethan Lee <ethanalee@google.com>
diff --git a/data/osv/GO-2025-4026.json b/data/osv/GO-2025-4026.json
new file mode 100644
index 0000000..42572ec
--- /dev/null
+++ b/data/osv/GO-2025-4026.json
@@ -0,0 +1,75 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4026",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-61524",
+ "GHSA-5m9m-j5p7-m7f9"
+ ],
+ "summary": "Casdoor is vulnerable to Improper Authorization in github.com/casdoor/casdoor",
+ "details": "Casdoor is vulnerable to Improper Authorization in github.com/casdoor/casdoor.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/casdoor/casdoor before v2.63.0.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/casdoor/casdoor",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.63.0"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-5m9m-j5p7-m7f9"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61524"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/casdoor/casdoor/commit/d883db907bb6e0b95737ef8e8b57b7da9078cbdd"
+ },
+ {
+ "type": "WEB",
+ "url": "http://casdoor.com"
+ },
+ {
+ "type": "WEB",
+ "url": "https://gist.github.com/DevHjz/e75cea851d48e5f5478ac2a90757851a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casdoor/casdoor/releases/tag/v2.63.0"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4026",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4028.json b/data/osv/GO-2025-4028.json
new file mode 100644
index 0000000..3e7661c
--- /dev/null
+++ b/data/osv/GO-2025-4028.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4028",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-62375",
+ "GHSA-72c7-4g63-hpw5"
+ ],
+ "summary": "go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents in github.com/in-toto/go-witness",
+ "details": "go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents in github.com/in-toto/go-witness",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/in-toto/go-witness",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.9.1"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62375"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4028",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4029.json b/data/osv/GO-2025-4029.json
new file mode 100644
index 0000000..eed465c
--- /dev/null
+++ b/data/osv/GO-2025-4029.json
@@ -0,0 +1,141 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4029",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-41410",
+ "GHSA-3q4q-wqm6-hvf3"
+ ],
+ "summary": "Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250822083415-01b95392a450.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.11+incompatible"
+ },
+ {
+ "introduced": "10.10.0+incompatible"
+ },
+ {
+ "fixed": "10.10.3+incompatible"
+ },
+ {
+ "introduced": "10.11.0+incompatible"
+ },
+ {
+ "fixed": "10.11.3+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250822083415-01b95392a450"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-3q4q-wqm6-hvf3"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41410"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/01b95392a450676407475596d1c041a047067329"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/0d6e8fa2e4681a172a136db18001104a57f9c28e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/ef896a4ea60cacbe03124106e1f42e5c25276427"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4029",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4030.json b/data/osv/GO-2025-4030.json
new file mode 100644
index 0000000..fe4bad8
--- /dev/null
+++ b/data/osv/GO-2025-4030.json
@@ -0,0 +1,128 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4030",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-10545",
+ "GHSA-424h-xj87-m937"
+ ],
+ "summary": "Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.11+incompatible"
+ },
+ {
+ "introduced": "10.11.0+incompatible"
+ },
+ {
+ "fixed": "10.11.3+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250820115038-ff30b84049f0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-424h-xj87-m937"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10545"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/fb9c583f5e466a566a5122154ef337bbf2238902"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/ff30b84049f0193f0570d30e46cffc3602298c67"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/pull/31319"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/pull/33827"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4030",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4031.json b/data/osv/GO-2025-4031.json
new file mode 100644
index 0000000..a667508
--- /dev/null
+++ b/data/osv/GO-2025-4031.json
@@ -0,0 +1,50 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4031",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-41443",
+ "GHSA-7cr3-38jm-6p45"
+ ],
+ "summary": "Guest user can discover active public channels in github.com/mattermost/mattermost-server",
+ "details": "Guest user can discover active public channels in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41443"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "credits": [
+ {
+ "name": "lordwillmore"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4031",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4032.json b/data/osv/GO-2025-4032.json
new file mode 100644
index 0000000..55f8680
--- /dev/null
+++ b/data/osv/GO-2025-4032.json
@@ -0,0 +1,130 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4032",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-58073",
+ "GHSA-6q7m-p8cc-998r"
+ ],
+ "summary": "Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.11+incompatible"
+ },
+ {
+ "introduced": "10.10.0+incompatible"
+ },
+ {
+ "fixed": "10.10.3+incompatible"
+ },
+ {
+ "introduced": "10.11.0+incompatible"
+ },
+ {
+ "fixed": "10.11.2+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250807174701-e14175eb6539"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-6q7m-p8cc-998r"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58073"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/2096f975b2c0ebe95fb1078c3b1a527da574796d"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/39bd251fe4f66b7e847fc6d653221886347ff160"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/e14175eb65393bebc16dbb68a8105b3094b0f0dd"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4032",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4033.json b/data/osv/GO-2025-4033.json
new file mode 100644
index 0000000..d110aa4
--- /dev/null
+++ b/data/osv/GO-2025-4033.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4033",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-61581",
+ "GHSA-9m49-p2j3-c6xm"
+ ],
+ "summary": "Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability in github.com/apache/trafficcontrol",
+ "details": "Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability in github.com/apache/trafficcontrol",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/apache/trafficcontrol",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/apache/trafficcontrol/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-9m49-p2j3-c6xm"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61581"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4033",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4034.json b/data/osv/GO-2025-4034.json
new file mode 100644
index 0000000..ed4cbf7
--- /dev/null
+++ b/data/osv/GO-2025-4034.json
@@ -0,0 +1,68 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4034",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-62506",
+ "GHSA-jjjj-jwhf-8rgr"
+ ],
+ "summary": "MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS in github.com/minio/minio",
+ "details": "MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS in github.com/minio/minio",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/minio/minio",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20251015170045-c1a49490c78e"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62506"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/minio/minio/pull/21642"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/minio/minio/issues/21647"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/minio/minio/discussions/21655"
+ },
+ {
+ "type": "WEB",
+ "url": "https://news.ycombinator.com/item?id=45684035"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4034",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4035.json b/data/osv/GO-2025-4035.json
new file mode 100644
index 0000000..0b607ef
--- /dev/null
+++ b/data/osv/GO-2025-4035.json
@@ -0,0 +1,141 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4035",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-58075",
+ "GHSA-r6qj-894f-5hr2"
+ ],
+ "summary": "Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250815100400-2d5cdc6e217e.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.11+incompatible"
+ },
+ {
+ "introduced": "10.10.0+incompatible"
+ },
+ {
+ "fixed": "10.10.3+incompatible"
+ },
+ {
+ "introduced": "10.11.0+incompatible"
+ },
+ {
+ "fixed": "10.11.2+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250815100400-2d5cdc6e217e"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-r6qj-894f-5hr2"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58075"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/0e478b2d895e89143c7732c7b33e16d98ace663d"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/2d5cdc6e217eb244e7f2122cb89f85140b6d982a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/7a2ac23e207429d7db8acc3770908c15c0b5c33e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4035",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4036.json b/data/osv/GO-2025-4036.json
new file mode 100644
index 0000000..9af6aec
--- /dev/null
+++ b/data/osv/GO-2025-4036.json
@@ -0,0 +1,120 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4036",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-54499",
+ "GHSA-xr3w-rmvj-f6m7"
+ ],
+ "summary": "Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server",
+ "details": "Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "10.5.0+incompatible"
+ },
+ {
+ "fixed": "10.5.11+incompatible"
+ },
+ {
+ "introduced": "10.11.0+incompatible"
+ },
+ {
+ "fixed": "10.11.3+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server/v6",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost/server/v8",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "8.0.0-20250728063359-38208b8f065f"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-xr3w-rmvj-f6m7"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54499"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/38208b8f065f0786eac0e968f9d754b91b62878c"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/97a4c7839cf5610cfe17c52042878aebb7678372"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4036",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4039.json b/data/osv/GO-2025-4039.json
new file mode 100644
index 0000000..cc448e9
--- /dev/null
+++ b/data/osv/GO-2025-4039.json
@@ -0,0 +1,79 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4039",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59043",
+ "GHSA-g46h-2rq9-gw5m"
+ ],
+ "summary": "OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao",
+ "details": "OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.4.1.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.4.1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59043"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/pull/1756"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6203"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4039",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4040.json b/data/osv/GO-2025-4040.json
new file mode 100644
index 0000000..3395e53
--- /dev/null
+++ b/data/osv/GO-2025-4040.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4040",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-10678",
+ "GHSA-g3j4-58mp-3x25"
+ ],
+ "summary": "NetBird VPN does not remove the default password of an admin account in github.com/netbirdio/netbird",
+ "details": "NetBird VPN does not remove the default password of an admin account in github.com/netbirdio/netbird",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/netbirdio/netbird",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.57.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-g3j4-58mp-3x25"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10678"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/netbirdio/netbird/commit/cf7f6c355f713e83cf171b79e08dac60b316e4fd"
+ },
+ {
+ "type": "WEB",
+ "url": "https://cert.pl/en/posts/2025/10/CVE-2025-10678"
+ },
+ {
+ "type": "WEB",
+ "url": "https://netbird.io"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4040",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4041.json b/data/osv/GO-2025-4041.json
new file mode 100644
index 0000000..46d75e2
--- /dev/null
+++ b/data/osv/GO-2025-4041.json
@@ -0,0 +1,53 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4041",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-8pfh-j44r-f654"
+ ],
+ "summary": "Cosmos EVM Vulnerability in github.com/cosmos/evm",
+ "details": "Cosmos EVM Vulnerability in github.com/cosmos/evm",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/cosmos/evm",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.3.0"
+ },
+ {
+ "fixed": "0.3.2"
+ },
+ {
+ "introduced": "0.4.0"
+ },
+ {
+ "fixed": "0.4.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/cosmos/evm/security/advisories/GHSA-8pfh-j44r-f654"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/cosmos/evm/commit/79089feebe79ce1f35250ba457cbd436e6bfff8b"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4041",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4042.json b/data/osv/GO-2025-4042.json
new file mode 100644
index 0000000..987065e
--- /dev/null
+++ b/data/osv/GO-2025-4042.json
@@ -0,0 +1,64 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4042",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-54469",
+ "GHSA-c8g6-qrwh-m3vp"
+ ],
+ "summary": "NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow in github.com/neuvector/neuvector",
+ "details": "NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow in github.com/neuvector/neuvector.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/neuvector/neuvector from v5.3.0 before v5.3.5, from v5.4.0 before v5.4.7.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/neuvector/neuvector",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.0.0-20230727023453-1c4957d53911"
+ },
+ {
+ "fixed": "0.0.0-20251020133207-084a437033b4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.3.0"
+ },
+ {
+ "fixed": "5.3.5"
+ },
+ {
+ "introduced": "5.4.0"
+ },
+ {
+ "fixed": "5.4.7"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-c8g6-qrwh-m3vp"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4042",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4043.json b/data/osv/GO-2025-4043.json
new file mode 100644
index 0000000..295aa5e
--- /dev/null
+++ b/data/osv/GO-2025-4043.json
@@ -0,0 +1,62 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4043",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-54471",
+ "GHSA-h773-7gf7-9m2x"
+ ],
+ "summary": "NeuVector is shipping cryptographic material into its binary in github.com/neuvector/neuvector",
+ "details": "NeuVector is shipping cryptographic material into its binary in github.com/neuvector/neuvector.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/neuvector/neuvector from v5.3.0 before v5.4.7.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/neuvector/neuvector",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.0.0-20230727023453-1c4957d53911"
+ },
+ {
+ "fixed": "0.0.0-20251020133207-084a437033b4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.3.0"
+ },
+ {
+ "fixed": "5.4.7"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/neuvector/neuvector/commit/084a437033b491eeea11bdba1a09dd84ed12ea88"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4043",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4045.json b/data/osv/GO-2025-4045.json
new file mode 100644
index 0000000..279dbcf
--- /dev/null
+++ b/data/osv/GO-2025-4045.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4045",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11063",
+ "GHSA-cffj-7w5c-jqjh"
+ ],
+ "summary": "Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.5.1+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-cffj-7w5c-jqjh"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11063"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/48533aa483879a19fdd2c1e09c596aa6c028d439"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4045",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4046.json b/data/osv/GO-2025-4046.json
new file mode 100644
index 0000000..b19a5c0
--- /dev/null
+++ b/data/osv/GO-2025-4046.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4046",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11067",
+ "GHSA-ffcc-qr2v-3qmv"
+ ],
+ "summary": "Mattermost Server is vulnerable to Uncontrolled Resource Consumption in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server is vulnerable to Uncontrolled Resource Consumption in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.2.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-ffcc-qr2v-3qmv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11067"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4046",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4047.json b/data/osv/GO-2025-4047.json
new file mode 100644
index 0000000..bd6d176
--- /dev/null
+++ b/data/osv/GO-2025-4047.json
@@ -0,0 +1,67 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4047",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11066",
+ "GHSA-r93j-3mmp-px57"
+ ],
+ "summary": "Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.1.1.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.1.1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-r93j-3mmp-px57"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11066"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/f89e7c6d543a82d6078c2ca0f892914d7976a6f5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4047",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4048.json b/data/osv/GO-2025-4048.json
new file mode 100644
index 0000000..56ce129
--- /dev/null
+++ b/data/osv/GO-2025-4048.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4048",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11068",
+ "GHSA-7vmw-6c7h-rrrv"
+ ],
+ "summary": "Mattermost Server is vulnerable to Code Injection through its LDAP fields in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server is vulnerable to Code Injection through its LDAP fields in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.2.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-7vmw-6c7h-rrrv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11068"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/6c5a8be6bfe1d6b9d8f71a6b0dc4d8cf93a03aab"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4048",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4049.json b/data/osv/GO-2025-4049.json
new file mode 100644
index 0000000..1184974
--- /dev/null
+++ b/data/osv/GO-2025-4049.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4049",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-62513",
+ "GHSA-ghfh-fmx4-26h8"
+ ],
+ "summary": "OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao",
+ "details": "OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.0.0-20241114205727-b1235e585db7"
+ },
+ {
+ "fixed": "0.0.0-20251022165510-cc2c476bac66"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-ghfh-fmx4-26h8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62513"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4049",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4050.json b/data/osv/GO-2025-4050.json
new file mode 100644
index 0000000..9574060
--- /dev/null
+++ b/data/osv/GO-2025-4050.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4050",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11070",
+ "GHSA-h8qw-xqm9-q66j"
+ ],
+ "summary": "Mattermost Server is vulnerable to XSS through customizable theme color-code values in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server is vulnerable to XSS through customizable theme color-code values in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.1.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-h8qw-xqm9-q66j"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11070"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/c5deb333db40e4e527f98edb93b41d1b66cfec5f"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4050",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4051.json b/data/osv/GO-2025-4051.json
new file mode 100644
index 0000000..6affb08
--- /dev/null
+++ b/data/osv/GO-2025-4051.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4051",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11069",
+ "GHSA-qrf6-h5fc-7m96"
+ ],
+ "summary": "Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.2.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-qrf6-h5fc-7m96"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11069"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/c976c2881ce5e34febac8a9850a6bad5d728625e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4051",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4052.json b/data/osv/GO-2025-4052.json
new file mode 100644
index 0000000..69ffd8c
--- /dev/null
+++ b/data/osv/GO-2025-4052.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4052",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-62705",
+ "GHSA-rc54-2g2c-g36g"
+ ],
+ "summary": "OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao",
+ "details": "OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20251022165510-cc2c476bac66"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62705"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4052",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4053.json b/data/osv/GO-2025-4053.json
new file mode 100644
index 0000000..a84717e
--- /dev/null
+++ b/data/osv/GO-2025-4053.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4053",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11079",
+ "GHSA-2j9c-76pp-xc5q"
+ ],
+ "summary": "Mattermost Server allows XSS via redirect URL in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server allows XSS via redirect URL in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-2j9c-76pp-xc5q"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11079"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4053",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4054.json b/data/osv/GO-2025-4054.json
new file mode 100644
index 0000000..94c9a78
--- /dev/null
+++ b/data/osv/GO-2025-4054.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4054",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11076",
+ "GHSA-379p-37xc-q963"
+ ],
+ "summary": "Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-379p-37xc-q963"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11076"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/bac25154d659883c801b3bb9a0687f46570f5bbf"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4054",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4055.json b/data/osv/GO-2025-4055.json
new file mode 100644
index 0000000..368a42f
--- /dev/null
+++ b/data/osv/GO-2025-4055.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4055",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11072",
+ "GHSA-43m6-wvc8-2m7j"
+ ],
+ "summary": "Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.2+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-43m6-wvc8-2m7j"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11072"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/ac509b114df1c1b4b841eded74fb797805e0162d"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4055",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4056.json b/data/osv/GO-2025-4056.json
new file mode 100644
index 0000000..ee8ae76
--- /dev/null
+++ b/data/osv/GO-2025-4056.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4056",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11073",
+ "GHSA-9jrx-fgrm-96qh"
+ ],
+ "summary": "Mattermost Server is vulnerable to XSS via a Legal or Support setting in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server is vulnerable to XSS via a Legal or Support setting in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-9jrx-fgrm-96qh"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11073"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/5ed7c3baa5b44356e92551c05e75ef2a47e2bf9b"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4056",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4057.json b/data/osv/GO-2025-4057.json
new file mode 100644
index 0000000..0e3f755
--- /dev/null
+++ b/data/osv/GO-2025-4057.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4057",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11078",
+ "GHSA-9w4v-9c99-hv7r"
+ ],
+ "summary": "Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-9w4v-9c99-hv7r"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11078"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4057",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4058.json b/data/osv/GO-2025-4058.json
new file mode 100644
index 0000000..d938d63
--- /dev/null
+++ b/data/osv/GO-2025-4058.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4058",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11071",
+ "GHSA-h3qg-w9j5-wh3m"
+ ],
+ "summary": "Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.1.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-h3qg-w9j5-wh3m"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11071"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4058",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4059.json b/data/osv/GO-2025-4059.json
new file mode 100644
index 0000000..7e34282
--- /dev/null
+++ b/data/osv/GO-2025-4059.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4059",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11074",
+ "GHSA-j26g-95ph-2mwv"
+ ],
+ "summary": "Mattermost Server: Insufficient Password-Reset Link Invalidation in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server: Insufficient Password-Reset Link Invalidation in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-j26g-95ph-2mwv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11074"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4059",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4060.json b/data/osv/GO-2025-4060.json
new file mode 100644
index 0000000..a482153
--- /dev/null
+++ b/data/osv/GO-2025-4060.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4060",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11077",
+ "GHSA-mj8v-773w-5qhj"
+ ],
+ "summary": "Mattermost Server allows System Admin to modify LDAP account names and email addresses in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server allows System Admin to modify LDAP account names and email addresses in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-mj8v-773w-5qhj"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11077"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/5d7e34c94b56c4b0abb0c3d1702f2b5feb8d2904"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4060",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4061.json b/data/osv/GO-2025-4061.json
new file mode 100644
index 0000000..c7375a2
--- /dev/null
+++ b/data/osv/GO-2025-4061.json
@@ -0,0 +1,63 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4061",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11075",
+ "GHSA-q3g9-hgrx-hwhx"
+ ],
+ "summary": "Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v2.0.1-0.20160310160916-26ad6d2c7696.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.0.1-0.20160310160916-26ad6d2c7696"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-q3g9-hgrx-hwhx"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11075"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4061",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4062.json b/data/osv/GO-2025-4062.json
new file mode 100644
index 0000000..7d6d8a5
--- /dev/null
+++ b/data/osv/GO-2025-4062.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4062",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11081",
+ "GHSA-5q37-9874-qxcw"
+ ],
+ "summary": "Mattermost Server exposes information stored by a web browser in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server exposes information stored by a web browser in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.2.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-5q37-9874-qxcw"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11081"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/a51a8ebc264c89f227e831c01fa048dafb7ee6c6"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4062",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4063.json b/data/osv/GO-2025-4063.json
new file mode 100644
index 0000000..0509be4
--- /dev/null
+++ b/data/osv/GO-2025-4063.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4063",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11080",
+ "GHSA-g3f3-p9rc-775p"
+ ],
+ "summary": "Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.0.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-g3f3-p9rc-775p"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11080"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/6c75662b824491a20a757a5eec59556a866374b5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4063",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4064.json b/data/osv/GO-2025-4064.json
new file mode 100644
index 0000000..c6b84f7
--- /dev/null
+++ b/data/osv/GO-2025-4064.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4064",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11082",
+ "GHSA-m78r-2x6w-qqjp"
+ ],
+ "summary": "Mattermost Server is vulnerable to XSS through crafted links in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server is vulnerable to XSS through crafted links in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.2.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-m78r-2x6w-qqjp"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11082"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/8736e9dad1afd0fec8746f1213f8b33b4ac61290"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4064",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4065.json b/data/osv/GO-2025-4065.json
new file mode 100644
index 0000000..f75a971
--- /dev/null
+++ b/data/osv/GO-2025-4065.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4065",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11083",
+ "GHSA-rm24-25xm-9454"
+ ],
+ "summary": "Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.2.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-rm24-25xm-9454"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11083"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/480308b7029a04cf41d0e9e7cd68b52dc2138e98"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4065",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4066.json b/data/osv/GO-2025-4066.json
new file mode 100644
index 0000000..318b0bf
--- /dev/null
+++ b/data/osv/GO-2025-4066.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4066",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2016-11084",
+ "GHSA-vw57-55f8-c73q"
+ ],
+ "summary": "Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.1.0+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-vw57-55f8-c73q"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11084"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4066",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4067.json b/data/osv/GO-2025-4067.json
new file mode 100644
index 0000000..e2ab7c9
--- /dev/null
+++ b/data/osv/GO-2025-4067.json
@@ -0,0 +1,59 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4067",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-59048",
+ "GHSA-jp7h-4f3c-9rc7"
+ ],
+ "summary": "OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method in github.com/openbao/openbao-plugins",
+ "details": "OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method in github.com/openbao/openbao-plugins.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao-plugins before v0.1.1.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao-plugins",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.1.1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4067",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4068.json b/data/osv/GO-2025-4068.json
new file mode 100644
index 0000000..95b6b86
--- /dev/null
+++ b/data/osv/GO-2025-4068.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4068",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-62820",
+ "GHSA-x6fh-7qmf-69xh"
+ ],
+ "summary": "Slack Nebula may accept arbitrary source IP addresses in github.com/slackhq/nebula",
+ "details": "Slack Nebula may accept arbitrary source IP addresses in github.com/slackhq/nebula",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/slackhq/nebula",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.9.4"
+ },
+ {
+ "fixed": "1.9.7"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-x6fh-7qmf-69xh"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62820"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/slackhq/nebula/commit/e264a0ff888c7bf0568579306755a60fc42f6ecc"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/slackhq/nebula/pull/1493"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/slackhq/nebula/pull/1494"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4068",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4070.json b/data/osv/GO-2025-4070.json
new file mode 100644
index 0000000..903e4a6
--- /dev/null
+++ b/data/osv/GO-2025-4070.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4070",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-11621",
+ "GHSA-9g4h-h484-3578"
+ ],
+ "summary": "HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault",
+ "details": "HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/vault",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.6.0"
+ },
+ {
+ "fixed": "1.21.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-9g4h-h484-3578"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11621"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/vault/commit/8d07273d14ae7f5a48cc96f66cc86615dea83390"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4070",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4071.json b/data/osv/GO-2025-4071.json
new file mode 100644
index 0000000..f70be3c
--- /dev/null
+++ b/data/osv/GO-2025-4071.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4071",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-12044",
+ "GHSA-vp5w-xcfc-73wf"
+ ],
+ "summary": "Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON in github.com/hashicorp/vault",
+ "details": "Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON in github.com/hashicorp/vault",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/hashicorp/vault",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.20.3"
+ },
+ {
+ "fixed": "1.21.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-vp5w-xcfc-73wf"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12044"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/vault/commit/b19e74c29a33ed2a99fc01626104db1a49345df3"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/hashicorp/vault/commit/eedc2b7426f30e57e306229ce697ce81e203ab89"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4071",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4072.json b/data/osv/GO-2025-4072.json
new file mode 100644
index 0000000..6145dad
--- /dev/null
+++ b/data/osv/GO-2025-4072.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4072",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-62714",
+ "GHSA-5qjg-9mjh-4r92"
+ ],
+ "summary": "Karmada Dashboard API Unauthorized Access Vulnerability in github.com/karmada-io/dashboard",
+ "details": "Karmada Dashboard API Unauthorized Access Vulnerability in github.com/karmada-io/dashboard",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/karmada-io/dashboard",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.2.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/karmada-io/dashboard/pull/271"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/karmada-io/dashboard/pull/280"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/karmada-io/dashboard/releases/tag/v0.2.0"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4072",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4073.json b/data/osv/GO-2025-4073.json
new file mode 100644
index 0000000..707cf51
--- /dev/null
+++ b/data/osv/GO-2025-4073.json
@@ -0,0 +1,48 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4073",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-32199",
+ "GHSA-j4vr-pcmw-hx59"
+ ],
+ "summary": "Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher",
+ "details": "Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/rancher/rancher",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20251014212116-7faa74a968c2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/rancher/pull/52303"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4073",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4074.json b/data/osv/GO-2025-4074.json
new file mode 100644
index 0000000..2d4809b
--- /dev/null
+++ b/data/osv/GO-2025-4074.json
@@ -0,0 +1,52 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4074",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-58269",
+ "GHSA-mw39-9qc2-f7mg"
+ ],
+ "summary": "Rancher exposes sensitive information through audit logs in github.com/rancher/rancher",
+ "details": "Rancher exposes sensitive information through audit logs in github.com/rancher/rancher",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/rancher/rancher",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20251013203444-50dc516a19ea"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/rancher/rancher/security/advisories/GHSA-mw39-9qc2-f7mg"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/rancher/commit/26ad9216e94f77b5471f638256a6989030572adc"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/rancher/rancher/commit/50dc516a19ea216e270f738912dc8d0c9ca99d5d"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4074",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4075.json b/data/osv/GO-2025-4075.json
new file mode 100644
index 0000000..19fb473
--- /dev/null
+++ b/data/osv/GO-2025-4075.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4075",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2017-18872",
+ "GHSA-hgrp-fgm8-56g8"
+ ],
+ "summary": "Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server",
+ "details": "Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/mattermost/mattermost-server",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "4.3.3+incompatible"
+ },
+ {
+ "introduced": "4.4.0-rc1+incompatible"
+ },
+ {
+ "fixed": "4.4.3+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-hgrp-fgm8-56g8"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18872"
+ },
+ {
+ "type": "WEB",
+ "url": "http://github.com/mattermost/mattermost/commit/753386c2b2b06233d8bd977e3db29a4fe18098cb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mattermost/mattermost/commit/8f6bb1570dd234c63de5241eff9fbb268aad358c"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4075",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4076.json b/data/osv/GO-2025-4076.json
new file mode 100644
index 0000000..90f0de4
--- /dev/null
+++ b/data/osv/GO-2025-4076.json
@@ -0,0 +1,77 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4076",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-58356",
+ "GHSA-hq76-6gh2-5g4q"
+ ],
+ "summary": "Constellation has insecure LUKS2 persistent storage partitions which may be opened and used in github.com/edgelesssys/constellation",
+ "details": "Constellation has insecure LUKS2 persistent storage partitions which may be opened and used in github.com/edgelesssys/constellation",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/edgelesssys/constellation",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/edgelesssys/constellation/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.24.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/edgelesssys/constellation/security/advisories/GHSA-hq76-6gh2-5g4q"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58356"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/edgelesssys/constellation/commit/bb8d2c8a5c0a0a6510d2cc43055be21f4a3ab83c"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/edgelesssys/constellation/pull/3927"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/edgelesssys/constellation/releases/tag/v2.24.0"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4076",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-4077.json b/data/osv/GO-2025-4077.json
new file mode 100644
index 0000000..5bcd548
--- /dev/null
+++ b/data/osv/GO-2025-4077.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-4077",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-62725",
+ "GHSA-gv8h-7v7w-r22q"
+ ],
+ "summary": "Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations in github.com/docker/compose",
+ "details": "Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations in github.com/docker/compose",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/docker/compose",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/docker/compose/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.40.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62725"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-4077",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-4026.yaml b/data/reports/GO-2025-4026.yaml
new file mode 100644
index 0000000..67435e4
--- /dev/null
+++ b/data/reports/GO-2025-4026.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-4026
+modules:
+ - module: github.com/casdoor/casdoor
+ non_go_versions:
+ - fixed: 2.63.0
+ vulnerable_at: 1.1000.0
+summary: Casdoor is vulnerable to Improper Authorization in github.com/casdoor/casdoor
+cves:
+ - CVE-2025-61524
+ghsas:
+ - GHSA-5m9m-j5p7-m7f9
+references:
+ - advisory: https://github.com/advisories/GHSA-5m9m-j5p7-m7f9
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-61524
+ - fix: https://github.com/casdoor/casdoor/commit/d883db907bb6e0b95737ef8e8b57b7da9078cbdd
+ - web: http://casdoor.com
+ - web: https://gist.github.com/DevHjz/e75cea851d48e5f5478ac2a90757851a
+ - web: https://github.com/casdoor/casdoor/releases/tag/v2.63.0
+source:
+ id: GHSA-5m9m-j5p7-m7f9
+ created: 2025-10-28T17:37:10.310350876Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4028.yaml b/data/reports/GO-2025-4028.yaml
new file mode 100644
index 0000000..2ede99b
--- /dev/null
+++ b/data/reports/GO-2025-4028.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4028
+modules:
+ - module: github.com/in-toto/go-witness
+ versions:
+ - fixed: 0.9.1
+ vulnerable_at: 0.9.0
+summary: go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents in github.com/in-toto/go-witness
+cves:
+ - CVE-2025-62375
+ghsas:
+ - GHSA-72c7-4g63-hpw5
+references:
+ - advisory: https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62375
+ - fix: https://github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9
+source:
+ id: GHSA-72c7-4g63-hpw5
+ created: 2025-10-28T17:37:01.28933708Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4029.yaml b/data/reports/GO-2025-4029.yaml
new file mode 100644
index 0000000..5ad84ad
--- /dev/null
+++ b/data/reports/GO-2025-4029.yaml
@@ -0,0 +1,35 @@
+id: GO-2025-4029
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.11+incompatible
+ - introduced: 10.10.0+incompatible
+ - fixed: 10.10.3+incompatible
+ - introduced: 10.11.0+incompatible
+ - fixed: 10.11.3+incompatible
+ vulnerable_at: 10.11.2+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ non_go_versions:
+ - fixed: 8.0.0-20250822083415-01b95392a450
+ vulnerable_at: 8.0.0-20251028162707-35dd8dea5008
+summary: Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-41410
+ghsas:
+ - GHSA-3q4q-wqm6-hvf3
+references:
+ - advisory: https://github.com/advisories/GHSA-3q4q-wqm6-hvf3
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-41410
+ - web: https://github.com/mattermost/mattermost/commit/01b95392a450676407475596d1c041a047067329
+ - web: https://github.com/mattermost/mattermost/commit/0d6e8fa2e4681a172a136db18001104a57f9c28e
+ - web: https://github.com/mattermost/mattermost/commit/ef896a4ea60cacbe03124106e1f42e5c25276427
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-3q4q-wqm6-hvf3
+ created: 2025-10-28T17:35:57.036470094Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4030.yaml b/data/reports/GO-2025-4030.yaml
new file mode 100644
index 0000000..8bae9c0
--- /dev/null
+++ b/data/reports/GO-2025-4030.yaml
@@ -0,0 +1,35 @@
+id: GO-2025-4030
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.11+incompatible
+ - introduced: 10.11.0+incompatible
+ - fixed: 10.11.3+incompatible
+ vulnerable_at: 10.11.2+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250820115038-ff30b84049f0
+summary: Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-10545
+ghsas:
+ - GHSA-424h-xj87-m937
+references:
+ - advisory: https://github.com/advisories/GHSA-424h-xj87-m937
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-10545
+ - web: https://github.com/mattermost/mattermost/commit/fb9c583f5e466a566a5122154ef337bbf2238902
+ - web: https://github.com/mattermost/mattermost/commit/ff30b84049f0193f0570d30e46cffc3602298c67
+ - web: https://github.com/mattermost/mattermost/pull/31319
+ - web: https://github.com/mattermost/mattermost/pull/33827
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-424h-xj87-m937
+ created: 2025-10-28T17:35:48.880967716Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4031.yaml b/data/reports/GO-2025-4031.yaml
new file mode 100644
index 0000000..1985d43
--- /dev/null
+++ b/data/reports/GO-2025-4031.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-4031
+modules:
+ - module: github.com/mattermost/mattermost-server
+ unsupported_versions:
+ - cve_version_range: 'affected from 10.5.0 to 10.5.10 (default: unaffected)'
+ - cve_version_range: 'affected from 10.11.0 to 10.11.2 (default: unaffected)'
+ - cve_version_range: 'unaffected at 10.12.0 (default: unaffected)'
+ - cve_version_range: 'unaffected at 10.5.11 (default: unaffected)'
+ - cve_version_range: 'unaffected at 10.11.3 (default: unaffected)'
+ vulnerable_at: 11.0.4+incompatible
+summary: Guest user can discover active public channels in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-41443
+ghsas:
+ - GHSA-7cr3-38jm-6p45
+credits:
+ - lordwillmore
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-41443
+ - web: https://mattermost.com/security-updates
+source:
+ id: CVE-2025-41443
+ created: 2025-10-28T17:35:43.726068794Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4032.yaml b/data/reports/GO-2025-4032.yaml
new file mode 100644
index 0000000..eb66857
--- /dev/null
+++ b/data/reports/GO-2025-4032.yaml
@@ -0,0 +1,36 @@
+id: GO-2025-4032
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.11+incompatible
+ - introduced: 10.10.0+incompatible
+ - fixed: 10.10.3+incompatible
+ - introduced: 10.11.0+incompatible
+ - fixed: 10.11.2+incompatible
+ vulnerable_at: 10.11.2-rc2+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250807174701-e14175eb6539
+summary: Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-58073
+ghsas:
+ - GHSA-6q7m-p8cc-998r
+references:
+ - advisory: https://github.com/advisories/GHSA-6q7m-p8cc-998r
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-58073
+ - web: https://github.com/mattermost/mattermost/commit/2096f975b2c0ebe95fb1078c3b1a527da574796d
+ - web: https://github.com/mattermost/mattermost/commit/39bd251fe4f66b7e847fc6d653221886347ff160
+ - web: https://github.com/mattermost/mattermost/commit/e14175eb65393bebc16dbb68a8105b3094b0f0dd
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-6q7m-p8cc-998r
+ created: 2025-10-28T17:35:19.396538716Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4033.yaml b/data/reports/GO-2025-4033.yaml
new file mode 100644
index 0000000..265cc0b
--- /dev/null
+++ b/data/reports/GO-2025-4033.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-4033
+modules:
+ - module: github.com/apache/trafficcontrol
+ vulnerable_at: 7.0.1+incompatible
+ - module: github.com/apache/trafficcontrol/v8
+ unsupported_versions:
+ - last_affected: 8.0.2
+ vulnerable_at: 8.0.2
+summary: |-
+ Apache Traffic Control has an Inefficient Regular Expression Complexity
+ vulnerability in github.com/apache/trafficcontrol
+cves:
+ - CVE-2025-61581
+ghsas:
+ - GHSA-9m49-p2j3-c6xm
+references:
+ - advisory: https://github.com/advisories/GHSA-9m49-p2j3-c6xm
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-61581
+ - web: https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp
+source:
+ id: GHSA-9m49-p2j3-c6xm
+ created: 2025-10-28T17:33:53.424928919Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4034.yaml b/data/reports/GO-2025-4034.yaml
new file mode 100644
index 0000000..3b56c19
--- /dev/null
+++ b/data/reports/GO-2025-4034.yaml
@@ -0,0 +1,26 @@
+id: GO-2025-4034
+modules:
+ - module: github.com/minio/minio
+ versions:
+ - fixed: 0.0.0-20251015170045-c1a49490c78e
+summary: |-
+ MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service
+ Accounts and STS in github.com/minio/minio
+cves:
+ - CVE-2025-62506
+ghsas:
+ - GHSA-jjjj-jwhf-8rgr
+references:
+ - advisory: https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62506
+ - fix: https://github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190
+ - fix: https://github.com/minio/minio/pull/21642
+ - report: https://github.com/minio/minio/issues/21647
+ - web: https://github.com/minio/minio/discussions/21655
+ - web: https://news.ycombinator.com/item?id=45684035
+notes:
+ - fix: 'github.com/minio/minio: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-jjjj-jwhf-8rgr
+ created: 2025-10-28T17:33:46.579153394Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4035.yaml b/data/reports/GO-2025-4035.yaml
new file mode 100644
index 0000000..b4f2623
--- /dev/null
+++ b/data/reports/GO-2025-4035.yaml
@@ -0,0 +1,35 @@
+id: GO-2025-4035
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.11+incompatible
+ - introduced: 10.10.0+incompatible
+ - fixed: 10.10.3+incompatible
+ - introduced: 10.11.0+incompatible
+ - fixed: 10.11.2+incompatible
+ vulnerable_at: 10.11.2-rc2+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ non_go_versions:
+ - fixed: 8.0.0-20250815100400-2d5cdc6e217e
+ vulnerable_at: 8.0.0-20251028162707-35dd8dea5008
+summary: Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-58075
+ghsas:
+ - GHSA-r6qj-894f-5hr2
+references:
+ - advisory: https://github.com/advisories/GHSA-r6qj-894f-5hr2
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-58075
+ - web: https://github.com/mattermost/mattermost/commit/0e478b2d895e89143c7732c7b33e16d98ace663d
+ - web: https://github.com/mattermost/mattermost/commit/2d5cdc6e217eb244e7f2122cb89f85140b6d982a
+ - web: https://github.com/mattermost/mattermost/commit/7a2ac23e207429d7db8acc3770908c15c0b5c33e
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-r6qj-894f-5hr2
+ created: 2025-10-28T17:32:46.536478665Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4036.yaml b/data/reports/GO-2025-4036.yaml
new file mode 100644
index 0000000..a9278ae
--- /dev/null
+++ b/data/reports/GO-2025-4036.yaml
@@ -0,0 +1,33 @@
+id: GO-2025-4036
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - introduced: 10.5.0+incompatible
+ - fixed: 10.5.11+incompatible
+ - introduced: 10.11.0+incompatible
+ - fixed: 10.11.3+incompatible
+ vulnerable_at: 10.11.2+incompatible
+ - module: github.com/mattermost/mattermost-server/v5
+ vulnerable_at: 5.39.3
+ - module: github.com/mattermost/mattermost-server/v6
+ vulnerable_at: 6.7.2
+ - module: github.com/mattermost/mattermost/server/v8
+ versions:
+ - fixed: 8.0.0-20250728063359-38208b8f065f
+summary: Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2025-54499
+ghsas:
+ - GHSA-xr3w-rmvj-f6m7
+references:
+ - advisory: https://github.com/advisories/GHSA-xr3w-rmvj-f6m7
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54499
+ - web: https://github.com/mattermost/mattermost/commit/38208b8f065f0786eac0e968f9d754b91b62878c
+ - web: https://github.com/mattermost/mattermost/commit/97a4c7839cf5610cfe17c52042878aebb7678372
+ - web: https://mattermost.com/security-updates
+notes:
+ - fix: 'github.com/mattermost/mattermost/server/v8: could not add vulnerable_at: could not find tagged version between introduced and fixed'
+source:
+ id: GHSA-xr3w-rmvj-f6m7
+ created: 2025-10-28T17:30:25.81356892Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4039.yaml b/data/reports/GO-2025-4039.yaml
new file mode 100644
index 0000000..48aaf8f
--- /dev/null
+++ b/data/reports/GO-2025-4039.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-4039
+modules:
+ - module: github.com/openbao/openbao
+ non_go_versions:
+ - fixed: 2.4.1
+ vulnerable_at: 0.0.0-20251028151953-42442639d226
+summary: |-
+ OpenBao has potential Denial of Service vulnerability when processing malicious
+ unauthenticated JSON requests in github.com/openbao/openbao
+cves:
+ - CVE-2025-59043
+ghsas:
+ - GHSA-g46h-2rq9-gw5m
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59043
+ - fix: https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c
+ - fix: https://github.com/openbao/openbao/pull/1756
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393
+ - web: https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6203
+source:
+ id: GHSA-g46h-2rq9-gw5m
+ created: 2025-10-28T17:29:55.045246478Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4040.yaml b/data/reports/GO-2025-4040.yaml
new file mode 100644
index 0000000..99caea7
--- /dev/null
+++ b/data/reports/GO-2025-4040.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-4040
+modules:
+ - module: github.com/netbirdio/netbird
+ versions:
+ - fixed: 0.57.0
+ vulnerable_at: 0.56.1
+summary: NetBird VPN does not remove the default password of an admin account in github.com/netbirdio/netbird
+cves:
+ - CVE-2025-10678
+ghsas:
+ - GHSA-g3j4-58mp-3x25
+references:
+ - advisory: https://github.com/advisories/GHSA-g3j4-58mp-3x25
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-10678
+ - fix: https://github.com/netbirdio/netbird/commit/cf7f6c355f713e83cf171b79e08dac60b316e4fd
+ - web: https://cert.pl/en/posts/2025/10/CVE-2025-10678
+ - web: https://netbird.io
+source:
+ id: GHSA-g3j4-58mp-3x25
+ created: 2025-10-28T17:29:49.262862032Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4041.yaml b/data/reports/GO-2025-4041.yaml
new file mode 100644
index 0000000..d5e3e39
--- /dev/null
+++ b/data/reports/GO-2025-4041.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4041
+modules:
+ - module: github.com/cosmos/evm
+ versions:
+ - introduced: 0.3.0
+ - fixed: 0.3.2
+ - introduced: 0.4.0
+ - fixed: 0.4.2
+ vulnerable_at: 0.4.1
+summary: Cosmos EVM Vulnerability in github.com/cosmos/evm
+ghsas:
+ - GHSA-8pfh-j44r-f654
+references:
+ - advisory: https://github.com/cosmos/evm/security/advisories/GHSA-8pfh-j44r-f654
+ - fix: https://github.com/cosmos/evm/commit/79089feebe79ce1f35250ba457cbd436e6bfff8b
+source:
+ id: GHSA-8pfh-j44r-f654
+ created: 2025-10-28T17:29:46.791379491Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4042.yaml b/data/reports/GO-2025-4042.yaml
new file mode 100644
index 0000000..9f48895
--- /dev/null
+++ b/data/reports/GO-2025-4042.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-4042
+modules:
+ - module: github.com/neuvector/neuvector
+ versions:
+ - introduced: 0.0.0-20230727023453-1c4957d53911
+ - fixed: 0.0.0-20251020133207-084a437033b4
+ non_go_versions:
+ - introduced: 5.3.0
+ - fixed: 5.3.5
+ - introduced: 5.4.0
+ - fixed: 5.4.7
+summary: NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow in github.com/neuvector/neuvector
+cves:
+ - CVE-2025-54469
+ghsas:
+ - GHSA-c8g6-qrwh-m3vp
+references:
+ - advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-c8g6-qrwh-m3vp
+notes:
+ - fix: 'github.com/neuvector/neuvector: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-c8g6-qrwh-m3vp
+ created: 2025-10-28T17:29:43.684400833Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4043.yaml b/data/reports/GO-2025-4043.yaml
new file mode 100644
index 0000000..7c76987
--- /dev/null
+++ b/data/reports/GO-2025-4043.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-4043
+modules:
+ - module: github.com/neuvector/neuvector
+ versions:
+ - introduced: 0.0.0-20230727023453-1c4957d53911
+ - fixed: 0.0.0-20251020133207-084a437033b4
+ non_go_versions:
+ - introduced: 5.3.0
+ - fixed: 5.4.7
+summary: NeuVector is shipping cryptographic material into its binary in github.com/neuvector/neuvector
+cves:
+ - CVE-2025-54471
+ghsas:
+ - GHSA-h773-7gf7-9m2x
+references:
+ - advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x
+ - fix: https://github.com/neuvector/neuvector/commit/084a437033b491eeea11bdba1a09dd84ed12ea88
+notes:
+ - fix: 'github.com/neuvector/neuvector: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-h773-7gf7-9m2x
+ created: 2025-10-28T17:29:25.609924723Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4045.yaml b/data/reports/GO-2025-4045.yaml
new file mode 100644
index 0000000..59bc2c3
--- /dev/null
+++ b/data/reports/GO-2025-4045.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-4045
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.5.1+incompatible
+ vulnerable_at: 3.5.0+incompatible
+summary: |-
+ Mattermost Server vulnerable to Cross-site Scripting through file preview
+ feature in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11063
+ghsas:
+ - GHSA-cffj-7w5c-jqjh
+references:
+ - advisory: https://github.com/advisories/GHSA-cffj-7w5c-jqjh
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11063
+ - web: https://github.com/mattermost/mattermost
+ - web: https://github.com/mattermost/mattermost/commit/48533aa483879a19fdd2c1e09c596aa6c028d439
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-cffj-7w5c-jqjh
+ created: 2025-10-28T17:29:14.286591577Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4046.yaml b/data/reports/GO-2025-4046.yaml
new file mode 100644
index 0000000..ca2cb65
--- /dev/null
+++ b/data/reports/GO-2025-4046.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4046
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.2.0+incompatible
+ vulnerable_at: 3.1.0+incompatible
+summary: Mattermost Server is vulnerable to Uncontrolled Resource Consumption in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11067
+ghsas:
+ - GHSA-ffcc-qr2v-3qmv
+references:
+ - advisory: https://github.com/advisories/GHSA-ffcc-qr2v-3qmv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11067
+ - web: https://github.com/mattermost/mattermost
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-ffcc-qr2v-3qmv
+ created: 2025-10-28T17:29:09.704974223Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4047.yaml b/data/reports/GO-2025-4047.yaml
new file mode 100644
index 0000000..52a21a5
--- /dev/null
+++ b/data/reports/GO-2025-4047.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4047
+modules:
+ - module: github.com/mattermost/mattermost-server
+ non_go_versions:
+ - fixed: 3.1.1
+ vulnerable_at: 11.0.4+incompatible
+summary: 'Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server'
+cves:
+ - CVE-2016-11066
+ghsas:
+ - GHSA-r93j-3mmp-px57
+references:
+ - advisory: https://github.com/advisories/GHSA-r93j-3mmp-px57
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11066
+ - web: https://github.com/mattermost/mattermost/commit/f89e7c6d543a82d6078c2ca0f892914d7976a6f5
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-r93j-3mmp-px57
+ created: 2025-10-28T17:29:03.0186527Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4048.yaml b/data/reports/GO-2025-4048.yaml
new file mode 100644
index 0000000..6dcfdbb
--- /dev/null
+++ b/data/reports/GO-2025-4048.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-4048
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.2.0+incompatible
+ vulnerable_at: 3.1.0+incompatible
+summary: Mattermost Server is vulnerable to Code Injection through its LDAP fields in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11068
+ghsas:
+ - GHSA-7vmw-6c7h-rrrv
+references:
+ - advisory: https://github.com/advisories/GHSA-7vmw-6c7h-rrrv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11068
+ - web: https://github.com/mattermost/mattermost
+ - web: https://github.com/mattermost/mattermost/commit/6c5a8be6bfe1d6b9d8f71a6b0dc4d8cf93a03aab
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-7vmw-6c7h-rrrv
+ created: 2025-10-28T17:28:57.524390988Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4049.yaml b/data/reports/GO-2025-4049.yaml
new file mode 100644
index 0000000..25e8628
--- /dev/null
+++ b/data/reports/GO-2025-4049.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-4049
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - introduced: 0.0.0-20241114205727-b1235e585db7
+ - fixed: 0.0.0-20251022165510-cc2c476bac66
+summary: OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao
+cves:
+ - CVE-2025-62513
+ghsas:
+ - GHSA-ghfh-fmx4-26h8
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-ghfh-fmx4-26h8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62513
+ - fix: https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-ghfh-fmx4-26h8
+ created: 2025-10-28T17:28:53.487629342Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4050.yaml b/data/reports/GO-2025-4050.yaml
new file mode 100644
index 0000000..4781425
--- /dev/null
+++ b/data/reports/GO-2025-4050.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-4050
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.1.0+incompatible
+ vulnerable_at: 3.0.3+incompatible
+summary: |-
+ Mattermost Server is vulnerable to XSS through customizable theme color-code
+ values in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11070
+ghsas:
+ - GHSA-h8qw-xqm9-q66j
+references:
+ - advisory: https://github.com/advisories/GHSA-h8qw-xqm9-q66j
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11070
+ - web: https://github.com/mattermost/mattermost/commit/c5deb333db40e4e527f98edb93b41d1b66cfec5f
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-h8qw-xqm9-q66j
+ created: 2025-10-28T17:28:48.351420411Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4051.yaml b/data/reports/GO-2025-4051.yaml
new file mode 100644
index 0000000..75f50c5
--- /dev/null
+++ b/data/reports/GO-2025-4051.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4051
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.2.0+incompatible
+ vulnerable_at: 3.1.0+incompatible
+summary: Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11069
+ghsas:
+ - GHSA-qrf6-h5fc-7m96
+references:
+ - advisory: https://github.com/advisories/GHSA-qrf6-h5fc-7m96
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11069
+ - web: https://github.com/mattermost/mattermost/commit/c976c2881ce5e34febac8a9850a6bad5d728625e
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-qrf6-h5fc-7m96
+ created: 2025-10-28T17:28:43.583714508Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4052.yaml b/data/reports/GO-2025-4052.yaml
new file mode 100644
index 0000000..6b73b21
--- /dev/null
+++ b/data/reports/GO-2025-4052.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4052
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20251022165510-cc2c476bac66
+summary: OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao
+cves:
+ - CVE-2025-62705
+ghsas:
+ - GHSA-rc54-2g2c-g36g
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62705
+ - fix: https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-rc54-2g2c-g36g
+ created: 2025-10-28T17:28:39.125801265Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4053.yaml b/data/reports/GO-2025-4053.yaml
new file mode 100644
index 0000000..6b3ab23
--- /dev/null
+++ b/data/reports/GO-2025-4053.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4053
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.0+incompatible
+ vulnerable_at: 2.2.0+incompatible
+summary: Mattermost Server allows XSS via redirect URL in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11079
+ghsas:
+ - GHSA-2j9c-76pp-xc5q
+references:
+ - advisory: https://github.com/advisories/GHSA-2j9c-76pp-xc5q
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11079
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-2j9c-76pp-xc5q
+ created: 2025-10-28T17:28:34.719041301Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4054.yaml b/data/reports/GO-2025-4054.yaml
new file mode 100644
index 0000000..ba76152
--- /dev/null
+++ b/data/reports/GO-2025-4054.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4054
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.0+incompatible
+ vulnerable_at: 2.2.0+incompatible
+summary: Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11076
+ghsas:
+ - GHSA-379p-37xc-q963
+references:
+ - advisory: https://github.com/advisories/GHSA-379p-37xc-q963
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11076
+ - web: https://github.com/mattermost/mattermost/commit/bac25154d659883c801b3bb9a0687f46570f5bbf
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-379p-37xc-q963
+ created: 2025-10-28T17:28:29.653595729Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4055.yaml b/data/reports/GO-2025-4055.yaml
new file mode 100644
index 0000000..e59b912
--- /dev/null
+++ b/data/reports/GO-2025-4055.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4055
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.2+incompatible
+ vulnerable_at: 3.0.1+incompatible
+summary: Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11072
+ghsas:
+ - GHSA-43m6-wvc8-2m7j
+references:
+ - advisory: https://github.com/advisories/GHSA-43m6-wvc8-2m7j
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11072
+ - web: https://github.com/mattermost/mattermost/commit/ac509b114df1c1b4b841eded74fb797805e0162d
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-43m6-wvc8-2m7j
+ created: 2025-10-28T17:28:24.693528222Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4056.yaml b/data/reports/GO-2025-4056.yaml
new file mode 100644
index 0000000..48580b8
--- /dev/null
+++ b/data/reports/GO-2025-4056.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4056
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.0+incompatible
+ vulnerable_at: 2.2.0+incompatible
+summary: Mattermost Server is vulnerable to XSS via a Legal or Support setting in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11073
+ghsas:
+ - GHSA-9jrx-fgrm-96qh
+references:
+ - advisory: https://github.com/advisories/GHSA-9jrx-fgrm-96qh
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11073
+ - web: https://github.com/mattermost/mattermost/commit/5ed7c3baa5b44356e92551c05e75ef2a47e2bf9b
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-9jrx-fgrm-96qh
+ created: 2025-10-28T17:28:19.702046059Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4057.yaml b/data/reports/GO-2025-4057.yaml
new file mode 100644
index 0000000..084c24a
--- /dev/null
+++ b/data/reports/GO-2025-4057.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4057
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.0+incompatible
+ vulnerable_at: 2.2.0+incompatible
+summary: Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11078
+ghsas:
+ - GHSA-9w4v-9c99-hv7r
+references:
+ - advisory: https://github.com/advisories/GHSA-9w4v-9c99-hv7r
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11078
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-9w4v-9c99-hv7r
+ created: 2025-10-28T17:28:15.283374604Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4058.yaml b/data/reports/GO-2025-4058.yaml
new file mode 100644
index 0000000..714ce26
--- /dev/null
+++ b/data/reports/GO-2025-4058.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-4058
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.1.0+incompatible
+ vulnerable_at: 3.0.3+incompatible
+summary: |-
+ Mattermost Server is vulnerable to XSS through lack of link relationship
+ attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11071
+ghsas:
+ - GHSA-h3qg-w9j5-wh3m
+references:
+ - advisory: https://github.com/advisories/GHSA-h3qg-w9j5-wh3m
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11071
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-h3qg-w9j5-wh3m
+ created: 2025-10-28T17:28:10.722729Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4059.yaml b/data/reports/GO-2025-4059.yaml
new file mode 100644
index 0000000..16c61fc
--- /dev/null
+++ b/data/reports/GO-2025-4059.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4059
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.0+incompatible
+ vulnerable_at: 2.2.0+incompatible
+summary: 'Mattermost Server: Insufficient Password-Reset Link Invalidation in github.com/mattermost/mattermost-server'
+cves:
+ - CVE-2016-11074
+ghsas:
+ - GHSA-j26g-95ph-2mwv
+references:
+ - advisory: https://github.com/advisories/GHSA-j26g-95ph-2mwv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11074
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-j26g-95ph-2mwv
+ created: 2025-10-28T17:28:06.485938884Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4060.yaml b/data/reports/GO-2025-4060.yaml
new file mode 100644
index 0000000..fc6956e
--- /dev/null
+++ b/data/reports/GO-2025-4060.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-4060
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.0+incompatible
+ vulnerable_at: 2.2.0+incompatible
+summary: |-
+ Mattermost Server allows System Admin to modify LDAP account names and email
+ addresses in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11077
+ghsas:
+ - GHSA-mj8v-773w-5qhj
+references:
+ - advisory: https://github.com/advisories/GHSA-mj8v-773w-5qhj
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11077
+ - web: https://github.com/mattermost/mattermost/commit/5d7e34c94b56c4b0abb0c3d1702f2b5feb8d2904
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-mj8v-773w-5qhj
+ created: 2025-10-28T17:28:01.677654348Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4061.yaml b/data/reports/GO-2025-4061.yaml
new file mode 100644
index 0000000..597d7b6
--- /dev/null
+++ b/data/reports/GO-2025-4061.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4061
+modules:
+ - module: github.com/mattermost/mattermost-server
+ non_go_versions:
+ - fixed: 2.0.1-0.20160310160916-26ad6d2c7696
+ vulnerable_at: 11.0.4+incompatible
+summary: Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11075
+ghsas:
+ - GHSA-q3g9-hgrx-hwhx
+references:
+ - advisory: https://github.com/advisories/GHSA-q3g9-hgrx-hwhx
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11075
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-q3g9-hgrx-hwhx
+ created: 2025-10-28T17:27:57.327347269Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4062.yaml b/data/reports/GO-2025-4062.yaml
new file mode 100644
index 0000000..330a9e8
--- /dev/null
+++ b/data/reports/GO-2025-4062.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4062
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 2.2.0+incompatible
+ vulnerable_at: 2.1.0+incompatible
+summary: Mattermost Server exposes information stored by a web browser in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11081
+ghsas:
+ - GHSA-5q37-9874-qxcw
+references:
+ - advisory: https://github.com/advisories/GHSA-5q37-9874-qxcw
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11081
+ - web: https://github.com/mattermost/mattermost/commit/a51a8ebc264c89f227e831c01fa048dafb7ee6c6
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-5q37-9874-qxcw
+ created: 2025-10-28T17:27:52.07713972Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4063.yaml b/data/reports/GO-2025-4063.yaml
new file mode 100644
index 0000000..b0db628
--- /dev/null
+++ b/data/reports/GO-2025-4063.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4063
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 3.0.0+incompatible
+ vulnerable_at: 2.2.0+incompatible
+summary: Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11080
+ghsas:
+ - GHSA-g3f3-p9rc-775p
+references:
+ - advisory: https://github.com/advisories/GHSA-g3f3-p9rc-775p
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11080
+ - web: https://github.com/mattermost/mattermost/commit/6c75662b824491a20a757a5eec59556a866374b5
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-g3f3-p9rc-775p
+ created: 2025-10-28T17:27:35.123434116Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4064.yaml b/data/reports/GO-2025-4064.yaml
new file mode 100644
index 0000000..89513ea
--- /dev/null
+++ b/data/reports/GO-2025-4064.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4064
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 2.2.0+incompatible
+ vulnerable_at: 2.1.0+incompatible
+summary: Mattermost Server is vulnerable to XSS through crafted links in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11082
+ghsas:
+ - GHSA-m78r-2x6w-qqjp
+references:
+ - advisory: https://github.com/advisories/GHSA-m78r-2x6w-qqjp
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11082
+ - web: https://github.com/mattermost/mattermost/commit/8736e9dad1afd0fec8746f1213f8b33b4ac61290
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-m78r-2x6w-qqjp
+ created: 2025-10-28T17:27:30.169816353Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4065.yaml b/data/reports/GO-2025-4065.yaml
new file mode 100644
index 0000000..a47acda
--- /dev/null
+++ b/data/reports/GO-2025-4065.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-4065
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 2.2.0+incompatible
+ vulnerable_at: 2.1.0+incompatible
+summary: |-
+ Mattermost Server: Files may be rendered inline instead of downloaded, allowing
+ script execution in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11083
+ghsas:
+ - GHSA-rm24-25xm-9454
+references:
+ - advisory: https://github.com/advisories/GHSA-rm24-25xm-9454
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11083
+ - web: https://github.com/mattermost/mattermost/commit/480308b7029a04cf41d0e9e7cd68b52dc2138e98
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-rm24-25xm-9454
+ created: 2025-10-28T17:27:24.864174199Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4066.yaml b/data/reports/GO-2025-4066.yaml
new file mode 100644
index 0000000..fae0191
--- /dev/null
+++ b/data/reports/GO-2025-4066.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4066
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 2.1.0+incompatible
+ vulnerable_at: 2.0.0+incompatible
+summary: Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2016-11084
+ghsas:
+ - GHSA-vw57-55f8-c73q
+references:
+ - advisory: https://github.com/advisories/GHSA-vw57-55f8-c73q
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2016-11084
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-vw57-55f8-c73q
+ created: 2025-10-28T17:27:14.096397305Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4067.yaml b/data/reports/GO-2025-4067.yaml
new file mode 100644
index 0000000..f7e3700
--- /dev/null
+++ b/data/reports/GO-2025-4067.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4067
+modules:
+ - module: github.com/openbao/openbao-plugins
+ non_go_versions:
+ - fixed: 0.1.1
+ vulnerable_at: 0.0.0-20251028080446-cd3e9798835a
+summary: |-
+ OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS
+ Auth Method in github.com/openbao/openbao-plugins
+cves:
+ - CVE-2025-59048
+ghsas:
+ - GHSA-jp7h-4f3c-9rc7
+references:
+ - advisory: https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7
+ - fix: https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae
+source:
+ id: GHSA-jp7h-4f3c-9rc7
+ created: 2025-10-28T17:27:08.088869588Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4068.yaml b/data/reports/GO-2025-4068.yaml
new file mode 100644
index 0000000..8a4ed2c
--- /dev/null
+++ b/data/reports/GO-2025-4068.yaml
@@ -0,0 +1,22 @@
+id: GO-2025-4068
+modules:
+ - module: github.com/slackhq/nebula
+ versions:
+ - introduced: 1.9.4
+ - fixed: 1.9.7
+ vulnerable_at: 1.9.6
+summary: Slack Nebula may accept arbitrary source IP addresses in github.com/slackhq/nebula
+cves:
+ - CVE-2025-62820
+ghsas:
+ - GHSA-x6fh-7qmf-69xh
+references:
+ - advisory: https://github.com/advisories/GHSA-x6fh-7qmf-69xh
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62820
+ - fix: https://github.com/slackhq/nebula/commit/e264a0ff888c7bf0568579306755a60fc42f6ecc
+ - fix: https://github.com/slackhq/nebula/pull/1493
+ - fix: https://github.com/slackhq/nebula/pull/1494
+source:
+ id: GHSA-x6fh-7qmf-69xh
+ created: 2025-10-28T17:26:57.321595853Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4070.yaml b/data/reports/GO-2025-4070.yaml
new file mode 100644
index 0000000..797ad4f
--- /dev/null
+++ b/data/reports/GO-2025-4070.yaml
@@ -0,0 +1,23 @@
+id: GO-2025-4070
+modules:
+ - module: github.com/hashicorp/vault
+ versions:
+ - introduced: 0.6.0
+ - fixed: 1.21.0
+ vulnerable_at: 1.21.0-rc1
+summary: |-
+ HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to
+ authentication bypass in github.com/hashicorp/vault
+cves:
+ - CVE-2025-11621
+ghsas:
+ - GHSA-9g4h-h484-3578
+references:
+ - advisory: https://github.com/advisories/GHSA-9g4h-h484-3578
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-11621
+ - fix: https://github.com/hashicorp/vault/commit/8d07273d14ae7f5a48cc96f66cc86615dea83390
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709
+source:
+ id: GHSA-9g4h-h484-3578
+ created: 2025-10-28T17:26:51.889081949Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4071.yaml b/data/reports/GO-2025-4071.yaml
new file mode 100644
index 0000000..3a3a55b
--- /dev/null
+++ b/data/reports/GO-2025-4071.yaml
@@ -0,0 +1,24 @@
+id: GO-2025-4071
+modules:
+ - module: github.com/hashicorp/vault
+ versions:
+ - introduced: 1.20.3
+ - fixed: 1.21.0
+ vulnerable_at: 1.21.0-rc1
+summary: |-
+ Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when
+ processing JSON in github.com/hashicorp/vault
+cves:
+ - CVE-2025-12044
+ghsas:
+ - GHSA-vp5w-xcfc-73wf
+references:
+ - advisory: https://github.com/advisories/GHSA-vp5w-xcfc-73wf
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-12044
+ - fix: https://github.com/hashicorp/vault/commit/b19e74c29a33ed2a99fc01626104db1a49345df3
+ - fix: https://github.com/hashicorp/vault/commit/eedc2b7426f30e57e306229ce697ce81e203ab89
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710
+source:
+ id: GHSA-vp5w-xcfc-73wf
+ created: 2025-10-28T17:26:42.418022014Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4072.yaml b/data/reports/GO-2025-4072.yaml
new file mode 100644
index 0000000..91c9adf
--- /dev/null
+++ b/data/reports/GO-2025-4072.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4072
+modules:
+ - module: github.com/karmada-io/dashboard
+ versions:
+ - fixed: 0.2.0
+ vulnerable_at: 0.1.0
+summary: Karmada Dashboard API Unauthorized Access Vulnerability in github.com/karmada-io/dashboard
+cves:
+ - CVE-2025-62714
+ghsas:
+ - GHSA-5qjg-9mjh-4r92
+references:
+ - advisory: https://github.com/karmada-io/dashboard/security/advisories/GHSA-5qjg-9mjh-4r92
+ - fix: https://github.com/karmada-io/dashboard/pull/271
+ - fix: https://github.com/karmada-io/dashboard/pull/280
+ - web: https://github.com/karmada-io/dashboard/releases/tag/v0.2.0
+source:
+ id: GHSA-5qjg-9mjh-4r92
+ created: 2025-10-28T17:26:34.962825452Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4073.yaml b/data/reports/GO-2025-4073.yaml
new file mode 100644
index 0000000..3a37b5d
--- /dev/null
+++ b/data/reports/GO-2025-4073.yaml
@@ -0,0 +1,19 @@
+id: GO-2025-4073
+modules:
+ - module: github.com/rancher/rancher
+ versions:
+ - fixed: 0.0.0-20251014212116-7faa74a968c2
+summary: Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher
+cves:
+ - CVE-2023-32199
+ghsas:
+ - GHSA-j4vr-pcmw-hx59
+references:
+ - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59
+ - fix: https://github.com/rancher/rancher/pull/52303
+notes:
+ - fix: 'github.com/rancher/rancher: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-j4vr-pcmw-hx59
+ created: 2025-10-28T17:26:30.084281576Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4074.yaml b/data/reports/GO-2025-4074.yaml
new file mode 100644
index 0000000..97f4350
--- /dev/null
+++ b/data/reports/GO-2025-4074.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-4074
+modules:
+ - module: github.com/rancher/rancher
+ versions:
+ - fixed: 0.0.0-20251013203444-50dc516a19ea
+summary: Rancher exposes sensitive information through audit logs in github.com/rancher/rancher
+cves:
+ - CVE-2024-58269
+ghsas:
+ - GHSA-mw39-9qc2-f7mg
+references:
+ - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-mw39-9qc2-f7mg
+ - fix: https://github.com/rancher/rancher/commit/26ad9216e94f77b5471f638256a6989030572adc
+ - fix: https://github.com/rancher/rancher/commit/50dc516a19ea216e270f738912dc8d0c9ca99d5d
+notes:
+ - fix: 'github.com/rancher/rancher: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
+source:
+ id: GHSA-mw39-9qc2-f7mg
+ created: 2025-10-28T17:26:25.034654888Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4075.yaml b/data/reports/GO-2025-4075.yaml
new file mode 100644
index 0000000..64ef497
--- /dev/null
+++ b/data/reports/GO-2025-4075.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-4075
+modules:
+ - module: github.com/mattermost/mattermost-server
+ versions:
+ - fixed: 4.3.3+incompatible
+ - introduced: 4.4.0-rc1+incompatible
+ - fixed: 4.4.3+incompatible
+ vulnerable_at: 4.4.3-rc1+incompatible
+summary: |-
+ Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing
+ Authorization in github.com/mattermost/mattermost-server
+cves:
+ - CVE-2017-18872
+ghsas:
+ - GHSA-hgrp-fgm8-56g8
+references:
+ - advisory: https://github.com/advisories/GHSA-hgrp-fgm8-56g8
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2017-18872
+ - web: http://github.com/mattermost/mattermost/commit/753386c2b2b06233d8bd977e3db29a4fe18098cb
+ - web: https://github.com/mattermost/mattermost/commit/8f6bb1570dd234c63de5241eff9fbb268aad358c
+ - web: https://mattermost.com/security-updates
+source:
+ id: GHSA-hgrp-fgm8-56g8
+ created: 2025-10-28T17:26:08.605668904Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4076.yaml b/data/reports/GO-2025-4076.yaml
new file mode 100644
index 0000000..85171ff
--- /dev/null
+++ b/data/reports/GO-2025-4076.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-4076
+modules:
+ - module: github.com/edgelesssys/constellation
+ vulnerable_at: 0.0.0
+ - module: github.com/edgelesssys/constellation/v2
+ versions:
+ - fixed: 2.24.0
+ vulnerable_at: 2.23.1
+summary: |-
+ Constellation has insecure LUKS2 persistent storage partitions which may be
+ opened and used in github.com/edgelesssys/constellation
+cves:
+ - CVE-2025-58356
+ghsas:
+ - GHSA-hq76-6gh2-5g4q
+references:
+ - advisory: https://github.com/edgelesssys/constellation/security/advisories/GHSA-hq76-6gh2-5g4q
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-58356
+ - fix: https://github.com/edgelesssys/constellation/commit/bb8d2c8a5c0a0a6510d2cc43055be21f4a3ab83c
+ - fix: https://github.com/edgelesssys/constellation/pull/3927
+ - web: https://github.com/edgelesssys/constellation/releases/tag/v2.24.0
+source:
+ id: GHSA-hq76-6gh2-5g4q
+ created: 2025-10-28T17:26:00.696608642Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-4077.yaml b/data/reports/GO-2025-4077.yaml
new file mode 100644
index 0000000..8020f0b
--- /dev/null
+++ b/data/reports/GO-2025-4077.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-4077
+modules:
+ - module: github.com/docker/compose
+ vulnerable_at: 1.25.2
+ - module: github.com/docker/compose/v2
+ versions:
+ - fixed: 2.40.2
+ vulnerable_at: 2.40.1
+summary: Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations in github.com/docker/compose
+cves:
+ - CVE-2025-62725
+ghsas:
+ - GHSA-gv8h-7v7w-r22q
+references:
+ - advisory: https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62725
+ - fix: https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176
+source:
+ id: GHSA-gv8h-7v7w-r22q
+ created: 2025-10-28T17:25:51.997298885Z
+review_status: UNREVIEWED
