{ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "govulncheck/vex:b37b5a818b9ab19c690fb57cff0cc64605e7ba1ee93992b7bc5a401a6432cc72", "author": "Unknown Author", "timestamp": "2026-06-03T01:07:46.505201315Z", "version": 1, "tooling": "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck", "statements": [ { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4311", "name": "GO-2026-4311", "description": "Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass in github.com/sigstore/fulcio", "aliases": [ "CVE-2026-22772", "GHSA-59jp-pj84-45mr" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fsigstore%2Ffulcio@v1.8.3" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4358", "name": "GO-2026-4358", "description": "Sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal in github.com/sigstore/sigstore", "aliases": [ "CVE-2026-24137", "GHSA-fcv2-xgw5-pqxf" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fsigstore%2Fsigstore@v1.10.3" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_present", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4473", "name": "GO-2026-4473", "description": "Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git", "aliases": [ "CVE-2026-25934", "GHSA-37cx-329c-33x3" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.16.3" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4517", "name": "GO-2026-4517", "description": "Kata Container to Guest micro VM privilege escalation in github.com/kata-containers/kata-containers/src/runtime", "aliases": [ "CVE-2026-24834", "GHSA-wwj6-vghv-5p64" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fkata-containers%2Fkata-containers%2Fsrc%2Fruntime@v0.0.0-20250828155603-754f07cff239" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4550", "name": "GO-2026-4550", "description": "CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl", "aliases": [ "CVE-2026-1229", "GHSA-q9hv-hpm4-hj6x" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fcloudflare%2Fcircl@v1.6.1" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4883", "name": "GO-2026-4883", "description": "Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker", "aliases": [ "CVE-2026-33997", "GHSA-pxq6-2prw-chj9" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fdocker%2Fdocker@v28.5.2+incompatible" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4887", "name": "GO-2026-4887", "description": "Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker", "aliases": [ "CVE-2026-34040", "GHSA-x744-4wpc-v9h2" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fdocker%2Fdocker@v28.5.2+incompatible" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4909", "name": "GO-2026-4909", "description": "Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git", "aliases": [ "CVE-2026-33762", "GHSA-gm2x-2g9h-ccm8" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.16.3" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4910", "name": "GO-2026-4910", "description": "Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git", "aliases": [ "CVE-2026-34165", "GHSA-jhf3-xxhw-2wpp" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fgo-git%2Fgo-git%2Fv5@v5.16.3" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4918", "name": "GO-2026-4918", "description": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net", "aliases": [ "CVE-2026-33814" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.51.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-4945", "name": "GO-2026-4945", "description": "Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose", "aliases": [ "CVE-2026-34986", "GHSA-78h2-9frx-2jm8" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/github.com%2Fgo-jose%2Fgo-jose%2Fv4@v4.1.3" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5005", "name": "GO-2026-5005", "description": "Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent", "aliases": [ "CVE-2026-39833" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5006", "name": "GO-2026-5006", "description": "Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent", "aliases": [ "CVE-2026-39832" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5013", "name": "GO-2026-5013", "description": "Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-46597" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5014", "name": "GO-2026-5014", "description": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-39828" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5015", "name": "GO-2026-5015", "description": "Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-39835" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5016", "name": "GO-2026-5016", "description": "Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-39827" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5017", "name": "GO-2026-5017", "description": "Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-39830" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5018", "name": "GO-2026-5018", "description": "Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-39829" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5019", "name": "GO-2026-5019", "description": "Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-39831" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5020", "name": "GO-2026-5020", "description": "Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-39834" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5021", "name": "GO-2026-5021", "description": "Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts", "aliases": [ "CVE-2026-42508" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5023", "name": "GO-2026-5023", "description": "Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh", "aliases": [ "CVE-2026-46595" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5024", "name": "GO-2026-5024", "description": "Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows", "aliases": [ "CVE-2026-39824" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fsys@v0.41.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_present", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5025", "name": "GO-2026-5025", "description": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html", "aliases": [ "CVE-2026-42506" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.51.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5026", "name": "GO-2026-5026", "description": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna", "aliases": [ "CVE-2026-39821" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.51.0" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5027", "name": "GO-2026-5027", "description": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html", "aliases": [ "CVE-2026-42502" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.51.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5028", "name": "GO-2026-5028", "description": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html", "aliases": [ "CVE-2026-25680" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.51.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5029", "name": "GO-2026-5029", "description": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html", "aliases": [ "CVE-2026-25681" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.51.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5030", "name": "GO-2026-5030", "description": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html", "aliases": [ "CVE-2026-27136" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fnet@v0.51.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5033", "name": "GO-2026-5033", "description": "Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent", "aliases": [ "CVE-2026-46598" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/golang.org%2Fx%2Fcrypto@v0.48.0" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "Govulncheck determined that the vulnerable code isn't called" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5037", "name": "GO-2026-5037", "description": "Inefficient candidate hostname parsing in crypto/x509", "aliases": [ "CVE-2026-27145" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/stdlib@v1.26.3" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5038", "name": "GO-2026-5038", "description": "Quadratic complexity in WordDecoder.DecodeHeader in mime", "aliases": [ "CVE-2026-42504" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/stdlib@v1.26.3" } ] } ], "status": "affected" }, { "vulnerability": { "@id": "https://pkg.go.dev/vuln/GO-2026-5039", "name": "GO-2026-5039", "description": "Arbitrary inputs are included in errors without any escaping in net/textproto", "aliases": [ "CVE-2026-42507" ] }, "products": [ { "@id": "Unknown Product", "subcomponents": [ { "@id": "pkg:golang/stdlib@v1.26.3" } ] } ], "status": "affected" } ] }