CVE Daily
← All tags

Tag: Go

All CVEs associated with "Go". Page 7/13 • 1450 CVEs.

Subscribe CVEs: RSS for “Go”  ·  RSS (High+Critical only)

About “Go”

A curated feed of “Go”-related CVEs appears below. We currently track 1450 CVEs for this tag (all time). In the last 365 days, 476 were published. Average CVSS is 6.9 (all time; 6.8 over 365d), and 53% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-918 - Server-Side Request Forgery (SSRF).

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-03-17
Medium

CVE-2024-2564

A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argume…

CVSS: 6.3 CWE: CWE-24 - Path Traversal: '../filedir' View on NVD
Medium

CVE-2024-2563

A vulnerability has been found in PandaXGO PandaX up to 20240310 and classified as critical. This vulnerability affects the function DeleteImage of the file /apps/system/router/upload.go. The manipul…

CVSS: 5.4 CWE: CWE-24 - Path Traversal: '../filedir' View on NVD
Medium

CVE-2024-2562

A vulnerability, which was classified as critical, was found in PandaXGO PandaX up to 20240310. This affects the function InsertRole of the file /apps/system/services/role_menu.go. The manipulation o…

CVSS: 6.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-03-15
Medium

CVE-2021-47128

In the Linux kernel, the following vulnerability has been resolved: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks Commit 59438b46471a ("security,lockdown,selinux: implement SEL…

CVSS: 5.5 CWE: CWE-667 - Improper Locking View on NVD
Medium

CVE-2021-47117

In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed We got follow bug_on when run fsstress with injecting IO…

CVSS: 5.5 CWE: N/A View on NVD
2024-03-13
Medium

CVE-2024-1582

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgmza' shortcode in all versions up to, and including, 9.0.32 due to insu…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-4839

The WP Go Maps for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping. This…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-03-09
Medium

CVE-2024-28122

JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (Do…

CVSS: 6.8 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-03-06
High

CVE-2024-28110

Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an a…

CVSS: 7.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
High

CVE-2023-48703

RobotsAndPencils go-saml, a SAML client library written in Go, contains an authentication bypass vulnerability in all known versions. This is due to how the `xmlsec1` command line tool is called inte…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2024-27304

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message si…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2024-27302

go-zero is a web and rpc framework. Go-zero allows user to specify a CORS Filter with a configurable allows param - which is an array of domains allowed in CORS policy. However, the `isOriginAllowed`…

CVSS: 9.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2024-27289

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder fo…

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-03-04
Medium

CVE-2021-47105

In the Linux kernel, the following vulnerability has been resolved: ice: xsk: return xsk buffers back to pool when cleaning the ring Currently we only NULL the xdp_buff pointer in the internal SW r…

CVSS: 5.5 CWE: CWE-401 - Missing Release of Memory after Effective Lifetime View on NVD
Medium

CVE-2021-47099

In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), if GRO is…

CVSS: 6.0 CWE: N/A View on NVD
2024-02-29
High

CVE-2024-27294

dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the instal…

CVSS: 7.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2023-50658

The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2024-02-26
High

CVE-2024-27359

Certain WithSecure products allow a Denial of Service because the engine scanner can go into an infinite loop when processing an archive file. This affects WithSecure Client Security 15, WithSecure S…

CVSS: 7.5 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
High

CVE-2024-22873

Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attacke…

CVSS: 8.1 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-02-21
Critical

CVE-2024-25124

Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerab…

CVSS: 9.4 CWE: CWE-346 - Origin Validation Error View on NVD
2024-02-06
Critical

CVE-2024-22853

D-LINK Go-RT-AC750 GORTAC750_A1_FW_v101b03 has a hardcoded password for the Alphanetworks account, which allows remote attackers to obtain root access via a telnet session.

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Critical

CVE-2024-22852

D-Link Go-RT-AC750 GORTAC750_A1_FW_v101b03 contains a stack-based buffer overflow via the function genacgi_main. This vulnerability allows attackers to enable telnet service via a specially crafted p…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2023-47353

An issue in the com.oneed.dvr.service.DownloadFirmwareService component of IMOU GO v1.0.11 allows attackers to force the download of arbitrary files.

CVSS: 8.8 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2024-01-31
Medium

CVE-2024-24579

stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-01-30
Medium

CVE-2024-23840

GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2024-01-25
High

CVE-2024-23656

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1…

CVSS: 7.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2024-01-24
Medium

CVE-2023-6697

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-01-18
High

CVE-2024-22419

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existin…

CVSS: 7.3 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2024-01-16
Critical

CVE-2024-22916

In D-LINK Go-RT-AC750 v101b03, the sprintf function in the sub_40E700 function within the cgibin is susceptible to stack overflow.

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2024-01-15
Medium

CVE-2024-0530

A vulnerability was found in CXBSoft Post-Office up to 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /apps/reg_go.php of the component HTTP POST Req…

CVSS: 5.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2024-0528

A vulnerability, which was classified as critical, was found in CXBSoft Post-Office 1.0. Affected is an unknown function of the file /admin/pages/update_go.php of the component HTTP POST Request Hand…

CVSS: 5.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2024-0527

A vulnerability, which was classified as critical, has been found in CXBSoft Url-shorting up to 1.3.1. This issue affects some unknown processing of the file /admin/pages/update_go.php of the compone…

CVSS: 6.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-01-12
Critical

CVE-2023-49569

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, rem…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2023-49568

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted res…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2024-01-10
Medium

CVE-2023-49295

quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiv…

CVSS: 6.4 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2023-5455

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could p…

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2020-26630

A Time-Based SQL Injection vulnerability was discovered in Hospital Management System V4.0 which can allow an attacker to dump database information via a special payload in the 'Doctor Specialization…

CVSS: 4.9 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-01-09
Medium

CVE-2024-21664

jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present whil…

CVSS: 4.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2024-01-08
Medium

CVE-2023-6627

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-12-25
Critical

CVE-2023-48654

One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium b…

CVSS: 9.8 CWE: N/A View on NVD
2023-12-20
High

CVE-2023-37871

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.

CVSS: 8.2 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2023-12-12
Medium

CVE-2023-50251

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an…

CVSS: 5.3 CWE: CWE-674 - Uncontrolled Recursion View on NVD
Critical

CVE-2023-50424

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploit…

CVSS: 9.1 CWE: CWE-749 - Exposed Dangerous Method or Function View on NVD
2023-12-06
High

CVE-2023-45285

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, ev…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2023-26154

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of…

CVSS: 5.9 CWE: CWE-331 - Insufficient Entropy View on NVD
2023-12-05
High

CVE-2023-45287

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fu…

CVSS: 7.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2023-48698

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to expired pointer derefer…

CVSS: 6.8 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Medium

CVE-2023-48697

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to memory buffer and point…

CVSS: 6.4 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2023-48696

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to expired pointer derefer…

CVSS: 6.7 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
High

CVE-2023-48695

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to out of bounds write vul…

CVSS: 7.3 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2023-48694

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to expired pointer derefer…

CVSS: 6.8 CWE: CWE-825 - Expired Pointer Dereference View on NVD
Medium

CVE-2023-49290

lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-12-01
Critical

CVE-2023-48842

D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi.

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-11-28
Medium

CVE-2023-45286

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when requ…

CVSS: 5.9 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2023-11-18
High

CVE-2023-46402

git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go.

CVSS: 7.5 CWE: CWE-1333 - Inefficient Regular Expression Complexity View on NVD
2023-11-10
High

CVE-2023-47108

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds la…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2023-11-09
High

CVE-2023-45283

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-11-07
Low

CVE-2023-46737

Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high num…

CVSS: 3.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-10-31
High

CVE-2023-46239

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handsh…

CVSS: 7.5 CWE: CWE-248 - Uncaught Exception View on NVD
High

CVE-2023-46129

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recent…

CVSS: 7.5 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2023-10-25
Medium

CVE-2023-46232

era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initi…

CVSS: 5.3 CWE: CWE-471 - Modification of Assumed-Immutable Data (MAID) View on NVD
2023-10-23
High

CVE-2023-46324

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been valid…

CVSS: 7.5 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2023-10-19
Medium

CVE-2023-45825

ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform. Since ydb-go-sdk v3.48.6 if you use a custom credentials object (implementation of interface Credentials it may leak into…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2023-10-18
High

CVE-2023-42319

Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the…

CVSS: 7.5 CWE: N/A View on NVD
2023-10-16
High

CVE-2023-45141

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge…

CVSS: 8.6 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2023-45128

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values…

CVSS: 10.0 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2023-45683

github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-10-12
High

CVE-2023-45142

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality.…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Critical

CVE-2023-29453

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-10-05
High

CVE-2023-39323

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected…

CVSS: 8.1 CWE: N/A View on NVD
Medium

CVE-2023-42755

A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `r…

CVSS: 6.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
2023-09-22
High

CVE-2023-42821

The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `0.0.0-20230922105210-14b16010c2ee`, which corresponds with commit…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
2023-09-21
High

CVE-2023-43631

On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open por…

CVSS: 8.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2023-09-20
High

CVE-2023-43630

PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not s…

CVSS: 8.8 CWE: CWE-328 - Use of Weak Hash View on NVD
2023-09-13
High

CVE-2023-4785

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant n…

CVSS: 7.5 CWE: CWE-248 - Uncaught Exception View on NVD
Medium

CVE-2023-4039

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in…

CVSS: 4.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2023-09-08
Medium

CVE-2023-41338

Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rel…

CVSS: 5.3 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
Critical

CVE-2023-39320

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This a…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-09-06
Low

CVE-2023-41329

WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specif…

CVSS: 3.9 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2023-40591

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messa…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-09-05
Medium

CVE-2023-36308

disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it…

CVSS: 5.5 CWE: CWE-129 - Improper Validation of Array Index View on NVD
2023-08-25
High

CVE-2023-40583

libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-08-22
High

CVE-2022-34038

Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability.

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-08-10
High

CVE-2023-39966

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/fi…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2023-39964

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the serve…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2023-30702

Stack overflow vulnerability in SSHDCPAPP TA prior to &quot;SAMSUNG ELECTONICS, CO, LTD. - System Hardware Update - 7/13/2023&quot; in Windows Update for Galaxy book Go, Galaxy book Go 5G, Galaxy boo…

CVSS: 6.7 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2023-30695

Out-of-bounds Write vulnerability in SSHDCPAPP TA prior to &quot;SAMSUNG ELECTONICS, CO, LTD. - System Hardware Update - 7/13/2023&quot; in Windows Update for Galaxy book Go, Galaxy book Go 5G, Galax…

CVSS: 6.7 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-08-09
High

CVE-2023-33469

In instances where the screen is visible and remote mouse connection is enabled, KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 can be exploited to achieve local c…

CVSS: 7.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2023-33468

KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 exhibit a vulnerability that enables remote manipulation of the device. This vulnerability involves extracting the c…

CVSS: 9.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-08-08
High

CVE-2023-39533

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a nod…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2023-08-04
High

CVE-2023-37896

Nuclei is a vulnerability scanner. Prior to version 2.9.9, a security issue in the Nuclei project affected users utilizing Nuclei as Go code (SDK) running custom templates. This issue did not affect…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-07-25
Medium

CVE-2020-35698

Thinkific Thinkific Online Course Creation Platform 1.0 is affected by: Cross Site Scripting (XSS). The impact is: execute arbitrary code (remote). The component is: Affected Source code of the websi…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-07-17
High

CVE-2023-37475

Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-07-13
High

CVE-2023-34458

mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the…

CVSS: 7.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-07-10
Critical

CVE-2021-4406

An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value…

CVSS: 9.1 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2021-42083

An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value…

CVSS: 8.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-07-06
High

CVE-2023-36456

authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and…

CVSS: 8.3 CWE: CWE-436 - Interpretation Conflict View on NVD
2023-07-05
High

CVE-2023-36624

Loxone Miniserver Go Gen.2 through 14.0.3.28 allows an authenticated operating system user to escalate privileges via the Sudo configuration. This allows the elevated execution of binaries without a…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2023-36623

The root password of the Loxone Miniserver Go Gen.2 before 14.2 is calculated using hard-coded secrets and the MAC address. This allows a local user to calculate the root password and escalate privil…

CVSS: 7.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2023-36622

The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter.

CVSS: 7.2 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2023-3515

Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.

CVSS: 4.4 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-07-03
Medium

CVE-2023-36223

Cross Site Scripting vulnerability in mlogclub bbs-go v. 3.5.5. and before allows a remote attacker to execute arbitrary code via a crafted payload to the announcements parameter in the settings func…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-36222

Cross Site Scripting vulnerability in mlogclub bbs-go v. 3.5.5. and before allows a remote attacker to execute arbitrary code via a crafted payload to the comment parameter in the article function.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-06-30
Medium

CVE-2023-35947

Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written…

CVSS: 6.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2023-35946

Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to…

CVSS: 6.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-06-15
Critical

CVE-2023-34800

D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at genacgi_main.

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2023-06-14
High

CVE-2023-30082

A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000 characters) is supplied using the osTicket application. This can cause the website…

CVSS: 7.5 CWE: CWE-1284 - Improper Validation of Specified Quantity in Input View on NVD
2023-06-08
Critical

CVE-2023-29405

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This…

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Critical

CVE-2023-29404

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2023-29403

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming…

CVSS: 7.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
Critical

CVE-2023-29402

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted mod…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-06-06
Critical

CVE-2023-34409

In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts.…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2023-33959

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in th…

CVSS: 8.3 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2023-05-31
High

CVE-2023-33964

mx-chain-go is an implementation of the MultiversX blockchain protocol written in the Go language. Metachain cannot process a cross-shard miniblock. Prior to version 1.4.16, an invalid transaction wi…

CVSS: 8.6 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2023-33509

KramerAV VIA GO² < 4.0.1.1326 is vulnerable to SQL Injection.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2023-33508

KramerAV VIA GO² < 4.0.1.1326 is vulnerable to unauthenticated file upload resulting in Remote Code Execution (RCE).

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2023-33507

KramerAV VIA GO² < 4.0.1.1326 is vulnerable to Unauthenticated arbitrary file read.

CVSS: 7.5 CWE: N/A View on NVD
2023-05-30
High

CVE-2023-32698

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files c…

CVSS: 7.1 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2023-32691

gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted inpu…

CVSS: 5.9 CWE: CWE-203 - Observable Discrepancy View on NVD
2023-05-25
High

CVE-2023-2500

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.3.19 via deserialization of untrusted input from th…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD