Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
- CVE-2026-22045, GHSA-cwjm-3f7h-9hwq
- Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
- Published: Jan 23, 2026
- Unreviewed
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall in github.com/traefik/traefik
- CVE-2025-68671, GHSA-f2ph-gc9m-q55f
- Affects: github.com/treeverse/lakefs
- Published: Jan 23, 2026
- Unreviewed
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication in github.com/treeverse/lakefs
- CVE-2026-23520, GHSA-gjqq-6r35-w3r8
- Affects: github.com/getarcaneapp/arcane/backend
- Published: Jan 23, 2026
- Unreviewed
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE in github.com/getarcaneapp/arcane/backend
- CVE-2026-23511, GHSA-pvm5-9frx-264r
- Affects: github.com/zitadel/zitadel
- Published: Jan 23, 2026
- Unreviewed
Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v3.4.6, from v4.0.0 before v4.9.1.
- CVE-2025-66292, GHSA-vh2x-fw87-4fxq
- Affects: github.com/donknap/dpanel
- Published: Jan 23, 2026
- Unreviewed
DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface in github.com/donknap/dpanel
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.