{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "govulncheck/vex:d884e70d3f01f3d1a17f85c2d35538da9124642a3495203b43558a51372885a8",
  "author": "Unknown Author",
  "timestamp": "2026-05-06T00:29:11.582501105Z",
  "version": 1,
  "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck",
  "statements": [
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4311",
        "name": "GO-2026-4311",
        "description": "Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass in github.com/sigstore/fulcio",
        "aliases": [
          "CVE-2026-22772",
          "GHSA-59jp-pj84-45mr"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fsigstore%2Ffulcio@v1.8.3"
            }
          ]
        }
      ],
      "status": "affected"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4358",
        "name": "GO-2026-4358",
        "description": "Sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal in github.com/sigstore/sigstore",
        "aliases": [
          "CVE-2026-24137",
          "GHSA-fcv2-xgw5-pqxf"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fsigstore%2Fsigstore@v1.10.3"
            }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_present",
      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4473",
        "name": "GO-2026-4473",
        "description": "Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git",
        "aliases": [
          "CVE-2026-25934",
          "GHSA-37cx-329c-33x3"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.16.3"
            }
          ]
        }
      ],
      "status": "affected"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4517",
        "name": "GO-2026-4517",
        "description": "Kata Container to Guest micro VM privilege escalation in github.com/kata-containers/kata-containers/src/runtime",
        "aliases": [
          "CVE-2026-24834",
          "GHSA-wwj6-vghv-5p64"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fkata-containers%2Fkata-containers%2Fsrc%2Fruntime@v0.0.0-20250828155603-754f07cff239"
            }
          ]
        }
      ],
      "status": "affected"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4550",
        "name": "GO-2026-4550",
        "description": "CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl",
        "aliases": [
          "CVE-2026-1229",
          "GHSA-q9hv-hpm4-hj6x"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fcloudflare%2Fcircl@v1.6.1"
            }
          ]
        }
      ],
      "status": "affected"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4883",
        "name": "GO-2026-4883",
        "description": "Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker",
        "aliases": [
          "CVE-2026-33997",
          "GHSA-pxq6-2prw-chj9"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fdocker%2Fdocker@v28.5.2+incompatible"
            }
          ]
        }
      ],
      "status": "affected"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4887",
        "name": "GO-2026-4887",
        "description": "Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker",
        "aliases": [
          "CVE-2026-34040",
          "GHSA-x744-4wpc-v9h2"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fdocker%2Fdocker@v28.5.2+incompatible"
            }
          ]
        }
      ],
      "status": "affected"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4909",
        "name": "GO-2026-4909",
        "description": "Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git",
        "aliases": [
          "CVE-2026-33762",
          "GHSA-gm2x-2g9h-ccm8"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.16.3"
            }
          ]
        }
      ],
      "status": "affected"
    },
    {
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2026-4910",
        "name": "GO-2026-4910",
        "description": "Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git",
        "aliases": [
          "CVE-2026-34165",
          "GHSA-jhf3-xxhw-2wpp"
        ]
      },
      "products": [
        {
          "@id": "Unknown Product",
          "subcomponents": [
            {
              "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.16.3"
            }
          ]
        }
      ],
      "status": "affected"
    }
  ]
}