Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
GO-2026-4322
- CVE-2026-22045, GHSA-cwjm-3f7h-9hwq
- Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
- Published: Jan 23, 2026
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall in github.com/traefik/traefik
GO-2026-4321
- CVE-2025-68671, GHSA-f2ph-gc9m-q55f
- Affects: github.com/treeverse/lakefs
- Published: Jan 23, 2026
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication in github.com/treeverse/lakefs
GO-2026-4320
- CVE-2026-23520, GHSA-gjqq-6r35-w3r8
- Affects: github.com/getarcaneapp/arcane/backend
- Published: Jan 23, 2026
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE in github.com/getarcaneapp/arcane/backend
GO-2026-4319
- CVE-2026-23511, GHSA-pvm5-9frx-264r
- Affects: github.com/zitadel/zitadel
- Published: Jan 23, 2026
Zitadel has a user enumeration vulnerability in Login UIs in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v3.4.6, from v4.0.0 before v4.9.1.
GO-2026-4318
- CVE-2025-66292, GHSA-vh2x-fw87-4fxq
- Affects: github.com/donknap/dpanel
- Published: Jan 23, 2026
DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface in github.com/donknap/dpanel
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.