Go Vulnerability Database

Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.

Search

Recent Reports

GO-2025-3737

Gokapi vulnerable to stored XSS via uploading file with malicious file name in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.

GO-2025-3736

Gokapi has stored XSS vulnerability in friendly name for API keys in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.

GO-2025-3735

Panic in Path Probe Loss Recovery Handling in github.com/quic-go/quic-go

GO-2025-3734

Navidrome allows SQL Injection via role parameter in github.com/navidrome/navidrome

GO-2025-3733

Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome

View all reports

If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL