Go Vulnerability Database

Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.

Search

Recent Reports

GO-2026-4309

  • CVE-2026-22703, GHSA-whqx-f9j3-ch6m
  • Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2, and 1 more
  • Published: Jan 13, 2026
  • Unreviewed

Cosign verification accepts any valid Rekor entry under certain conditions in github.com/sigstore/cosign

GO-2026-4308

  • CVE-2025-60538, GHSA-mw8h-g64c-rxv4
  • Affects: github.com/go-shiori/shiori
  • Published: Jan 13, 2026
  • Unreviewed

Shiori is vulnerable to authentication bypass via a brute force attack in github.com/go-shiori/shiori

GO-2026-4306

  • CVE-2017-18905, GHSA-g24c-fx4v-xg9w
  • Affects: github.com/mattermost/mattermost-server
  • Published: Jan 13, 2026
  • Unreviewed

Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider in github.com/mattermost/mattermost-server

GO-2026-4304

  • CVE-2017-18901, GHSA-c253-8hr4-r8v9
  • Affects: github.com/mattermost/mattermost-server
  • Published: Jan 13, 2026
  • Unreviewed

CVE-2017-18901 in github.com/mattermost/mattermost-server

GO-2026-4303

  • CVE-2017-18900, GHSA-8q4v-35v6-g8wr
  • Affects: github.com/mattermost/mattermost-server
  • Published: Jan 13, 2026
  • Unreviewed

Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server

View all reports

If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.