Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
GO-2025-4019
- GHSA-xc79-566c-j4qx
- Affects: github.com/microstack-tech/parallax
- Published: Oct 23, 2025
Parallax is vulnerable to DoS via malicious p2p message in github.com/microstack-tech/parallax
GO-2025-4018
- CVE-2025-61926, GHSA-33f4-mjch-7fpr
- Affects: github.com/ossf/allstar
- Published: Oct 23, 2025
Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret in github.com/ossf/allstar
GO-2025-3998
- CVE-2025-23267, GHSA-67jc-hmvg-q4c7
- Affects: github.com/NVIDIA/gpu-operator, github.com/NVIDIA/k8s-device-plugin, and 2 more
- Published: Oct 23, 2025
NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook in github.com/NVIDIA/gpu-operator. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/NVIDIA/gpu-operator before v25.3.2.
GO-2025-3997
- CVE-2025-61595, GHSA-qwvm-wqq8-8j69
- Affects: github.com/MANTRA-Chain/mantrachain, github.com/MANTRA-Chain/mantrachain/v2, and 2 more
- Published: Oct 23, 2025
github.com/MANTRA-Chain/mantrachain/x/tokenfactory tx gas limit is not enforced in send hooks in github.com/MANTRA-Chain/mantrachain
GO-2025-3996
- CVE-2025-59537, GHSA-wp4p-9pxh-cgx2
- Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2, and 1 more
- Published: Oct 23, 2025
argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.