Golang
Monthly
Remote code execution in ALGO 8180 IP Audio Alerter firmware via command injection in the web UI allows authenticated attackers to execute arbitrary commands on affected devices due to insufficient input validation. An attacker with valid credentials can exploit this vulnerability to achieve code execution in the device context. No patch is currently available for this high-severity vulnerability (CVSS 8.8).
Remote code execution in ALGO 8180 IP Audio Alerter firmware through command injection in the web UI allows authenticated attackers to execute arbitrary commands on affected devices due to insufficient input validation. The vulnerability requires valid credentials to exploit but enables complete device compromise once authenticated. No patch is currently available for this high-severity flaw affecting the Golang-based firmware.
Remote code execution in ALGO 8180 IP Audio Alerter firmware via command injection in the web interface allows authenticated attackers to execute arbitrary code on affected devices through insufficient input validation. The vulnerability requires valid credentials but no user interaction to exploit, presenting significant risk to networked audio alerting systems. No patch is currently available.
The Golang sigstore framework versions 1.10.3 and below fail to validate cache directory paths in the legacy TUF client, allowing a malicious TUF repository to overwrite arbitrary files on disk within the calling process's permission scope. This impacts direct users of the TUF client in sigstore/sigstore and older Cosign versions, though public Sigstore deployments are protected by metadata validation from trusted collaborators. No patch is currently available for this medium-severity path traversal vulnerability.
TMS Management Console v6.3.7 has a CVSS 10.0 arbitrary file upload vulnerability allowing remote attackers to execute arbitrary code on the server without authentication.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion.This issue affects Vango: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion.This issue affects Search & Go: from n/a through <= 2.8. [CVSS 8.1 HIGH]
Signature threshold validation bypass in go-tuf versions 2.0.0 through 2.3.0 allows a compromised or misconfigured TUF repository to disable signature verification by setting thresholds to zero, enabling attackers to tamper with metadata files without detection. This affects systems relying on go-tuf for secure software update verification, potentially allowing unauthorized modifications to trusted metadata both at rest and in transit. A patch is available in version 2.3.1.
go-tuf is a Go implementation of The Update Framework (TUF). [CVSS 5.9 MEDIUM]
Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
SiYuan knowledge management system versions before 3.5.4 allow authenticated users to copy arbitrary files from the server filesystem into the application workspace due to insufficient path validation in the /api/file/globalCopyFiles endpoint. An attacker with valid credentials can exploit this path traversal vulnerability to read sensitive files and escalate privileges within the application. Public exploit code exists for this medium-severity vulnerability, though a patch is available.
Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers to write arbitrary files to the server through malicious tar archives, bypassing incomplete path sanitization. Public exploit code exists for this vulnerability. The issue stems from improper validation of absolute paths in tar file entries, enabling potential code execution or service disruption on affected systems.
Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. [CVSS 8.1 HIGH]
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.
Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. [CVSS 8.8 HIGH]
Go Ethereum (geth) nodes can be remotely crashed through maliciously crafted network messages, causing denial of service to affected network participants. An unauthenticated attacker on the network can exploit this vulnerability without user interaction to force vulnerable nodes offline. A patch is available in version 1.16.8 and later.
Go Ethereum nodes can be remotely crashed by unauthenticated attackers sending specially crafted network messages, resulting in denial of service. This network-based attack requires no user interaction and affects Golang and Go Ethereum implementations prior to version 1.16.8. A patch is available to remediate this high-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it.
Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter.
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to ‘/store-ticket’, using the ‘subject’ and ‘description’ parameters.
In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. [CVSS 5.4 MEDIUM]
Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.
Concurrent requests in axios4go prior to version 0.6.4 trigger unsynchronized mutations to the shared HTTP client configuration, allowing attackers to manipulate transport settings, timeouts, and redirect handlers across simultaneous operations. Applications using async requests or multiple goroutines with different proxy configurations or handling sensitive credentials are vulnerable to request interception, credential leakage, or denial of service. Upgrade to version 0.6.4 or later to resolve this race condition.
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Logo Slider WordPre versions up to 4.9.0 contains a vulnerability that allows attackers to users with the contributor role and above to perform Stored Cross-Site Scripting (CVSS 6.1).
Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.
Pion Interceptor versions v0.1.36 through v0.1.38 contain a denial-of-service vulnerability in the RTP packet factory that allows unauthenticated remote attackers to trigger application panics via crafted RTP packets with malformed padding fields. This affects all applications using the Pion interceptor library for RTP/RTCP communication, with no authentication required and low attack complexity. The vulnerability has a CVSS score of 7.5 (High) with availability impact only; no evidence of active exploitation or public POC availability is documented.
Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.
Remote code execution in ALGO 8180 IP Audio Alerter firmware via command injection in the web UI allows authenticated attackers to execute arbitrary commands on affected devices due to insufficient input validation. An attacker with valid credentials can exploit this vulnerability to achieve code execution in the device context. No patch is currently available for this high-severity vulnerability (CVSS 8.8).
Remote code execution in ALGO 8180 IP Audio Alerter firmware through command injection in the web UI allows authenticated attackers to execute arbitrary commands on affected devices due to insufficient input validation. The vulnerability requires valid credentials to exploit but enables complete device compromise once authenticated. No patch is currently available for this high-severity flaw affecting the Golang-based firmware.
Remote code execution in ALGO 8180 IP Audio Alerter firmware via command injection in the web interface allows authenticated attackers to execute arbitrary code on affected devices through insufficient input validation. The vulnerability requires valid credentials but no user interaction to exploit, presenting significant risk to networked audio alerting systems. No patch is currently available.
The Golang sigstore framework versions 1.10.3 and below fail to validate cache directory paths in the legacy TUF client, allowing a malicious TUF repository to overwrite arbitrary files on disk within the calling process's permission scope. This impacts direct users of the TUF client in sigstore/sigstore and older Cosign versions, though public Sigstore deployments are protected by metadata validation from trusted collaborators. No patch is currently available for this medium-severity path traversal vulnerability.
TMS Management Console v6.3.7 has a CVSS 10.0 arbitrary file upload vulnerability allowing remote attackers to execute arbitrary code on the server without authentication.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion.This issue affects Vango: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion.This issue affects Search & Go: from n/a through <= 2.8. [CVSS 8.1 HIGH]
Signature threshold validation bypass in go-tuf versions 2.0.0 through 2.3.0 allows a compromised or misconfigured TUF repository to disable signature verification by setting thresholds to zero, enabling attackers to tamper with metadata files without detection. This affects systems relying on go-tuf for secure software update verification, potentially allowing unauthorized modifications to trusted metadata both at rest and in transit. A patch is available in version 2.3.1.
go-tuf is a Go implementation of The Update Framework (TUF). [CVSS 5.9 MEDIUM]
Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]
SiYuan knowledge management system versions before 3.5.4 allow authenticated users to copy arbitrary files from the server filesystem into the application workspace due to insufficient path validation in the /api/file/globalCopyFiles endpoint. An attacker with valid credentials can exploit this path traversal vulnerability to read sensitive files and escalate privileges within the application. Public exploit code exists for this medium-severity vulnerability, though a patch is available.
Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers to write arbitrary files to the server through malicious tar archives, bypassing incomplete path sanitization. Public exploit code exists for this vulnerability. The issue stems from improper validation of absolute paths in tar file entries, enabling potential code execution or service disruption on affected systems.
Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. [CVSS 8.1 HIGH]
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.
Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. [CVSS 8.8 HIGH]
Go Ethereum (geth) nodes can be remotely crashed through maliciously crafted network messages, causing denial of service to affected network participants. An unauthenticated attacker on the network can exploit this vulnerability without user interaction to force vulnerable nodes offline. A patch is available in version 1.16.8 and later.
Go Ethereum nodes can be remotely crashed by unauthenticated attackers sending specially crafted network messages, resulting in denial of service. This network-based attack requires no user interaction and affects Golang and Go Ethereum implementations prior to version 1.16.8. A patch is available to remediate this high-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it.
Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter.
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to ‘/store-ticket’, using the ‘subject’ and ‘description’ parameters.
In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. [CVSS 5.4 MEDIUM]
Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.
Concurrent requests in axios4go prior to version 0.6.4 trigger unsynchronized mutations to the shared HTTP client configuration, allowing attackers to manipulate transport settings, timeouts, and redirect handlers across simultaneous operations. Applications using async requests or multiple goroutines with different proxy configurations or handling sensitive credentials are vulnerable to request interception, credential leakage, or denial of service. Upgrade to version 0.6.4 or later to resolve this race condition.
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Logo Slider WordPre versions up to 4.9.0 contains a vulnerability that allows attackers to users with the contributor role and above to perform Stored Cross-Site Scripting (CVSS 6.1).
Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.
Pion Interceptor versions v0.1.36 through v0.1.38 contain a denial-of-service vulnerability in the RTP packet factory that allows unauthenticated remote attackers to trigger application panics via crafted RTP packets with malformed padding fields. This affects all applications using the Pion interceptor library for RTP/RTCP communication, with no authentication required and low attack complexity. The vulnerability has a CVSS score of 7.5 (High) with availability impact only; no evidence of active exploitation or public POC availability is documented.
Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.