Go Vulnerability Database

• CVE-2025-68153, GHSA-245v-p8fj-vwm2
• Affects: github.com/juju/juju
• Published: Apr 06, 2026

Juju has a resource poisoning vulnerability in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju from v2.9 before v2.9.56, from v3.6 before v3.6.19.

• CVE-2026-33817
• Affects: go.etcd.io/bbolt
• Published: Apr 06, 2026

Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt

• CVE-2026-34940, GHSA-324q-cwx9-7crr
• Affects: github.com/kubeai-project/kubeai
• Published: Apr 06, 2026

KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai

• CVE-2026-33634, GHSA-69fq-xp46-6x23
• Affects: github.com/aquasecurity/trivy
• Published: Apr 01, 2026

On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release.

• CVE-2026-26233, GHSA-247x-7qw8-fp98
• Affects: github.com/mattermost/mattermost-server
• Published: Apr 02, 2026

Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v8.0.0-20260105080200-d27a2195068d before v8.0.0-20260217110922-b7d4a1f1f59b.