Go Vulnerability Database

• CVE-2025-48494, GHSA-95rc-wc32-gm53
• Affects: github.com/forceu/gokapi
• Published: Jun 03, 2025

Gokapi vulnerable to stored XSS via uploading file with malicious file name in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.

• CVE-2025-48495, GHSA-4xg4-54hm-9j77
• Affects: github.com/forceu/gokapi
• Published: Jun 03, 2025

Gokapi has stored XSS vulnerability in friendly name for API keys in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.

• CVE-2025-29785, GHSA-j972-j939-p2v3
• Affects: github.com/quic-go/quic-go
• Published: Jun 03, 2025

Panic in Path Probe Loss Recovery Handling in github.com/quic-go/quic-go

• CVE-2025-48949, GHSA-5wgp-vjxm-3x2r
• Affects: github.com/navidrome/navidrome
• Published: Jun 03, 2025

Navidrome allows SQL Injection via role parameter in github.com/navidrome/navidrome

• CVE-2025-48948, GHSA-f238-rggp-82m3
• Affects: github.com/navidrome/navidrome
• Published: Jun 03, 2025

Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome