Skip to content

build(deps): bump golang.org/x/crypto from 0.48.0 to 0.52.0 in /proxy/caddy-jsonrpc-cache#4

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/proxy/caddy-jsonrpc-cache/golang.org/x/crypto-0.52.0
Open

build(deps): bump golang.org/x/crypto from 0.48.0 to 0.52.0 in /proxy/caddy-jsonrpc-cache#4
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/proxy/caddy-jsonrpc-cache/golang.org/x/crypto-0.52.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown

Bumps golang.org/x/crypto from 0.48.0 to 0.52.0.

Commits
  • a1c0d99 go.mod: update golang.org/x dependencies
  • 3c7c869 ssh: fix deadlock on unexpected channel responses
  • 533fb3f ssh: fix source-address critical option bypass
  • abbc44d ssh: fix incorrect operator order
  • e052873 ssh: fix infinite loop on large channel writes due to integer overflow
  • b61cf85 ssh: enforce user presence verification for security keys
  • 9c2cd33 ssh: enforce strict limits on DSA key parameters
  • 8907318 ssh: reject RSA keys with excessively large moduli
  • ffd87b4 ssh: fix panic when authority callbacks are nil
  • 4e7a738 ssh: fix deadlock on unexpected global responses
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.48.0 to 0.52.0.
- [Commits](golang/crypto@v0.48.0...v0.52.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.52.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 16, 2026
Copilot AI review requested due to automatic review settings July 16, 2026 20:46
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 16, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang golang.org/x/tools is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/caddyserver/caddy/v2@v2.11.2golang/golang.org/x/tools@v0.44.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/golang.org/x/tools@v0.44.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@sentinel-by-digital-frontier

Copy link
Copy Markdown

🛡️ Sentinel PR review

2 file(s) changed · 0 introduced by this diff (secrets+SAST) · 87 SCA/IaC · 658 CVE at repo baseline. Advisory — the fail-closed gate is the post-merge pentest.

Findings — ranked by criticality

  • 🔴 [CRITICAL · SCA] google.golang.org/grpc v1.79.1CVE-2026-33186 — vulnerable dependency google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation Fix: Upgrade to 1.79.3. (CVSS 9.1 · CWE-285 CWE-551) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] google.golang.org/grpc v1.79.1GHSA-p77j-4mvh-x3m3 — vulnerable dependency gRPC-Go has an authorization bypass via missing leading slash in :path Fix: Upgrade to 1.79.3. (CVSS 9.1) details (✓ 2 methods agree)
  • 🔴 [CRITICAL · SCA] protobufjs 7.5.4CVE-2026-41242 — vulnerable dependency protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields Fix: Upgrade to 8.0.1, 7.5.5. (CVSS 9.8 · CWE-94) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0CVE-2026-33815 — vulnerable dependency github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability Fix: Upgrade to 5.9.0. (CVSS 9.8 · CWE-787) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0CVE-2026-33816 — vulnerable dependency github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability Fix: Upgrade to 5.9.0. (CVSS 9.8 · CWE-787) details
  • 🔴 [CRITICAL · SCA] github.com/smallstep/certificates v0.30.0-rc3CVE-2026-30836 — vulnerable dependency github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request Fix: Upgrade to 0.30.0. (CVSS 10 · CWE-287 CWE-295) details
  • 🔴 [CRITICAL · SCA] vllm 0.20.2GHSA-94f4-hr76-p5j6 — vulnerable dependency vLLM: OpenAI auth bypass Fix: Upgrade to 0.22.0. (CVSS 9.1) details
  • 🔴 [CRITICAL · SCA] protobufjs 7.5.4GHSA-xq3m-2v4x-88gg — vulnerable dependency Arbitrary code execution in protobufjs Fix: Upgrade to 7.5.5. (CVSS 9.8) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0GHSA-xgrm-4fwx-7qm8 — vulnerable dependency pgx contains memory-safety vulnerability Fix: Upgrade to 5.9.0. (CVSS 9.8) details
  • 🔴 [CRITICAL · SCA] github.com/jackc/pgx/v5 v5.6.0GHSA-9jj7-4m8r-rfcm — vulnerable dependency Memory-safety vulnerability in github.com/jackc/pgx/v5. Fix: Upgrade to 5.9.0. (CVSS 9.8) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-vgwf-h737-ff37 — vulnerable dependency golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses Fix: Upgrade to 0.52.0. (CVSS 9.1) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-f5wc-c3c7-36mc — vulnerable dependency golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys Fix: Upgrade to 0.52.0. (CVSS 9.1) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-5cgq-3rg8-m6cv — vulnerable dependency golang.org/x/crypto vulnerable to auth bypass via unenforced @Revoked status Fix: Upgrade to 0.52.0. (CVSS 9.1) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-rm3j-f69w-wqmq — vulnerable dependency golang.org/x/crypto vulnerable to infinite loop on large channel writes Fix: Upgrade to 0.52.0. (CVSS 9.1) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GO-2026-5020 — vulnerable dependency When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation cau Fix: Upgrade to 0.52.0. (CVSS 9.1)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-x527-x647-q7gg — vulnerable dependency golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement Fix: Upgrade to 0.52.0. (CVSS 10) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-89gr-r52h-f8rx — vulnerable dependency golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed Fix: Upgrade to 0.52.0. (CVSS 9.1) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GO-2026-5019 — vulnerable dependency The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Fix: Upgrade to 0.52.0. (CVSS 9.1)
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GHSA-jppx-rxg9-jmrx — vulnerable dependency golang.org/x/crypto doesn't enforce invoking key constraints Fix: Upgrade to 0.52.0. (CVSS 9.1) details
  • 🔴 [CRITICAL · SCA] golang.org/x/crypto v0.48.0GO-2026-5005 — vulnerable dependency The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key wo Fix: Upgrade to 0.52.0. (CVSS 9.1)
  • 🔴 [CRITICAL · SCA] github.com/smallstep/certificates v0.30.0-rc3GHSA-q4r8-xm5f-56gw — vulnerable dependency step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) Fix: Upgrade to 0.30.0. (CVSS 10) details
  • 🟠 [HIGH · SCA] pyo3 0.24.2GHSA-36hh-v3qg-5jq4 — vulnerable dependency PyO3 has an Out-of-bounds Read in nth / nth_back for PyList and PyTuple iterators Fix: Upgrade to 0.29.0. (CVSS 8.7) details (✓ 6 methods agree)
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-8h8q-6873-q5fj — vulnerable dependency Next.js Vulnerable to Denial of Service with Server Components Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-q4gf-8mx6-v5v3 — vulnerable dependency Next.js has a Denial of Service with Server Components Fix: Upgrade to 15.5.15, 16.2.3. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] go.opentelemetry.io/otel v1.40.0CVE-2026-29181 — vulnerable dependency github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers Fix: Upgrade to 1.41.0. (CVSS 7.5 · CWE-770) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] go.opentelemetry.io/otel v1.40.0GHSA-mh2q-q3fh-2475 — vulnerable dependency OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) Fix: Upgrade to 1.41.0. (CVSS 7.5) details (✓ 2 methods agree)
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3CVE-2026-48068 — vulnerable dependency grpc-js: @grpc/grpc-js: Server crash via malformed HTTP/2 stream initiation Fix: Upgrade to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4. (CVSS 7.5 · CWE-248) details
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3CVE-2026-48069 — vulnerable dependency grpc-js: @grpc/grpc-js: Client or server crash via malformed compressed message Fix: Upgrade to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4. (CVSS 7.5 · CWE-248) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-25639 — vulnerable dependency axios: Axios affected by Denial of Service via proto Key in mergeConfig Fix: Upgrade to 1.13.5, 0.30.3. (CVSS 7.5 · CWE-754 CWE-1287) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42033 — vulnerable dependency axios: Axios: HTTP Transport Hijacking via Prototype Pollution Fix: Upgrade to 1.15.1, 0.31.1. (CVSS 7.4 · CWE-1321 CWE-915) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42035 — vulnerable dependency axios: Axios: Arbitrary HTTP header injection via prototype pollution Fix: Upgrade to 1.15.1, 0.31.1. (CVSS 7.4 · CWE-113 CWE-1321) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42043 — vulnerable dependency axios: Axios: NO_PROXY bypass via crafted URL Fix: Upgrade to 1.15.1, 0.31.1. (CVSS 10 · CWE-183 CWE-441) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-42264 — vulnerable dependency axios: Axios: Prototype pollution allows information disclosure and request manipulation Fix: Upgrade to 1.15.2. (CVSS 9.1 · CWE-1321 CWE-915) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44486 — vulnerable dependency axios: Axios: Information disclosure of proxy credentials via HTTP redirects Fix: Upgrade to 1.16.0, 0.32.0. (CVSS 7.5 · CWE-200 CWE-201) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44487 — vulnerable dependency axios: Axios: Information disclosure of proxy credentials via redirect flows Fix: Upgrade to 1.16.0, 0.32.0. (CVSS 7.5 · CWE-201) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44488 — vulnerable dependency axios: Axios: Denial of Service due to unenforced request and response size limits Fix: Upgrade to 1.16.0. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44494 — vulnerable dependency axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution Fix: Upgrade to 1.16.0. (CVSS 8.7 · CWE-441 CWE-1321) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44495 — vulnerable dependency axios: Axios: Information disclosure due to prototype pollution vulnerability Fix: Upgrade to 1.15.2, 0.31.1. (CVSS 7 · CWE-94 CWE-1321) details
  • 🟠 [HIGH · SCA] axios 1.13.2CVE-2026-44496 — vulnerable dependency axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name Fix: Upgrade to 1.16.0, 0.32.0. (CVSS 7.5 · CWE-400 CWE-1333) details
  • 🟠 [HIGH · SCA] flatted 3.3.3CVE-2026-32141 — vulnerable dependency flatted: flatted: Unbounded recursion DoS in parse() revive phase Fix: Upgrade to 3.4.0. (CVSS 7.5 · CWE-674 CWE-770) details
  • 🟠 [HIGH · SCA] flatted 3.3.3CVE-2026-33228 — vulnerable dependency flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON. Fix: Upgrade to 3.4.2. (CVSS 9.8 · CWE-1321 CWE-915) details
  • 🟠 [HIGH · SCA] form-data 4.0.5CVE-2026-12143 — vulnerable dependency form-data: form-data: Form field override via CRLF injection Fix: Upgrade to 2.5.6, 3.0.5, 4.0.6. (CVSS 7.5 · CWE-93) details
  • 🟠 [HIGH · SCA] lodash 4.17.21CVE-2026-4800 — vulnerable dependency lodash: lodash: Arbitrary code execution via untrusted input in template imports Fix: Upgrade to 4.18.0. (CVSS 9.8 · CWE-94) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2CVE-2026-26996 — vulnerable dependency minimatch: minimatch: Denial of Service via specially crafted glob patterns Fix: Upgrade to 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2CVE-2026-27903 — vulnerable dependency minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3. (CVSS 7.5 · CWE-407) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2CVE-2026-27904 — vulnerable dependency minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5CVE-2026-26996 — vulnerable dependency minimatch: minimatch: Denial of Service via specially crafted glob patterns Fix: Upgrade to 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5CVE-2026-27903 — vulnerable dependency minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3. (CVSS 7.5 · CWE-407) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5CVE-2026-27904 — vulnerable dependency minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions Fix: Upgrade to 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44573 — vulnerable dependency next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5 · CWE-863 CWE-551) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44574 — vulnerable dependency Next.js: Next.js: Authorization bypass via crafted query parameters Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 8.1 · CWE-288 CWE-551) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44575 — vulnerable dependency next.js: Next.js: Unauthorized access to protected content via middleware bypass Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5 · CWE-288 CWE-551) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44578 — vulnerable dependency Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 8.6 · CWE-918) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-44579 — vulnerable dependency next.js: Next.js: Denial of Service via crafted POST requests to server actions Fix: Upgrade to 15.5.16, 16.2.5. (CVSS 7.5 · CWE-770 CWE-833) details
  • 🟠 [HIGH · SCA] next 15.5.12CVE-2026-45109 — vulnerable dependency next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack Fix: Upgrade to 15.5.18, 16.2.6. (CVSS 7.5 · CWE-288 CWE-358) details
  • 🟠 [HIGH · SCA] picomatch 2.3.1CVE-2026-33671 — vulnerable dependency picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns Fix: Upgrade to 4.0.4, 3.0.2, 2.3.2. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] picomatch 4.0.3CVE-2026-33671 — vulnerable dependency picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns Fix: Upgrade to 4.0.4, 3.0.2, 2.3.2. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44289 — vulnerable dependency protobufjs: protobufjs: Denial of Service via uncontrolled recursion in protobuf decoding Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 7.5 · CWE-674 CWE-606) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44290 — vulnerable dependency protobufjs: protobufjs: Denial of Service via crafted schema Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 7.5 · CWE-1321) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44291 — vulnerable dependency protobufjs: protobufjs: Arbitrary Code Execution via prototype pollution Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 8.1 · CWE-94) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-44293 — vulnerable dependency protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors Fix: Upgrade to 7.5.6, 8.0.2. (CVSS 8.8 · CWE-94) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4CVE-2026-48712 — vulnerable dependency protobufjs: protobufjs: Denial of Service via uncontrolled recursion with crafted protobuf payload Fix: Upgrade to 7.6.1, 8.4.1. (CVSS 7.5 · CWE-674) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-21884 — vulnerable dependency react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration Fix: Upgrade to 7.12.0. (CVSS 8.2 · CWE-79) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-22029 — vulnerable dependency @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects Fix: Upgrade to 7.12.0. (CVSS 8 · CWE-79) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-33245 — vulnerable dependency react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirects Fix: Upgrade to 7.13.2. (CVSS 8 · CWE-79) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-34077 — vulnerable dependency react-router: React Router: Denial of Service via client-side Cross-Site Scripting in RSC redirect handling Fix: Upgrade to 7.14.0. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-42211 — vulnerable dependency React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE Fix: Upgrade to 7.14.2. (CVSS 8.1 · CWE-502) details
  • 🟠 [HIGH · SCA] react-router 7.11.0CVE-2026-42342 — vulnerable dependency react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint Fix: Upgrade to 7.15.0. (CVSS 7.5 · CWE-400) details
  • 🟠 [HIGH · SCA] valibot 0.37.0CVE-2025-66020 — vulnerable dependency Valibot has a ReDoS vulnerability in EMOJI_REGEX Fix: Upgrade to 1.2.0. (CVSS 7.5 · CWE-1333) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2025-47950 — vulnerable dependency coredns: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification Fix: Upgrade to 1.12.2. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2025-58063 — vulnerable dependency github.com/coredns/coredns: CoreDNS Lease ID Confusion Fix: Upgrade to 1.12.4. (CVSS 7.1 · CWE-681) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-26017 — vulnerable dependency github.com/coredns/coredns: CoreDNS: DNS access control bypass due to plugin execution order flaw Fix: Upgrade to 1.14.2. (CVSS 7.7 · CWE-367) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-26018 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Denial of Service vulnerability due to predictable pseudo-random number generation Fix: Upgrade to 1.14.2. (CVSS 7.5 · CWE-337 CWE-400) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-32934 — vulnerable dependency coredns: github.com/coredns/coredns: CoreDNS: Denial of Service due to unbounded resource growth in DNS-over-QUIC (DoQ) stream handling Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-770) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-32936 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Denial of Service via oversized DNS-over-HTTPS GET requests Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-400) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-33190 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Authentication bypass via flawed TSIG plugin verification on non-plain-DNS transports Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-303) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-33489 — vulnerable dependency CoreDNS: github.com/coredns/coredns: CoreDNS: Information disclosure via incorrect ACL stanza selection in transfer plugin Fix: Upgrade to 1.14.3. (CVSS 7.5 · CWE-863) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3CVE-2026-35579 — vulnerable dependency github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities Fix: Upgrade to 1.14.3. (CVSS 9.8 · CWE-287 CWE-303) details
  • 🟠 [HIGH · SCA] github.com/quic-go/quic-go v0.42.0CVE-2025-59530 — vulnerable dependency github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame Fix: Upgrade to 0.49.1, 0.54.1. (CVSS 7.5 · CWE-617 CWE-755) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39828 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions Fix: Upgrade to 0.52.0. (CVSS 8.8 · CWE-295 CWE-281) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39829 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-347 CWE-1284) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39830 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-119 CWE-772) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39831 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check Fix: Upgrade to 0.52.0. (CVSS 8.1 · CWE-862) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39832 — vulnerable dependency golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions Fix: Upgrade to 0.52.0. (CVSS 8.7 · CWE-502 CWE-281) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-39835 — vulnerable dependency golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-295 CWE-476) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-42508 — vulnerable dependency golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey Fix: Upgrade to 0.52.0. (CVSS 7.4 · CWE-295) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-46595 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation Fix: Upgrade to 0.52.0. (CVSS 7.1 · CWE-863 CWE-303) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0CVE-2026-46597 — vulnerable dependency golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs Fix: Upgrade to 0.52.0. (CVSS 7.5 · CWE-704) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-25681 — vulnerable dependency golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-27136 — vulnerable dependency golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-33814 — vulnerable dependency net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame Fix: Upgrade to 0.53.0. (CVSS 7.5 · CWE-835 CWE-606) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0CVE-2026-39821 — vulnerable dependency golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing Fix: Upgrade to 0.55.0. (CVSS 8.2 · CWE-1289) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2CVE-2026-45135 — vulnerable dependency Caddy is an extensible server platform that uses TLS by default. From ... Fix: Upgrade to 2.11.3. (CVSS 8.1 · CWE-20 CWE-176) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2CVE-2026-52844 — vulnerable dependency Caddy is an extensible server platform that uses TLS by default. Prior ... Fix: Upgrade to 2.11.4. (CVSS 7.5 · CWE-22 CWE-284) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2CVE-2026-52845 — vulnerable dependency github.com/caddyserver/caddy: Caddy: Remote client can inject or override identity headers via header normalization Fix: Upgrade to 2.11.4. (CVSS 8.1 · CWE-287 CWE-290) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v3 v3.0.4CVE-2026-34986 — vulnerable dependency github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object Fix: Upgrade to 3.0.5. (CVSS 7.5 · CWE-248 CWE-131) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v4 v4.1.3CVE-2026-34986 — vulnerable dependency github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object Fix: Upgrade to 4.1.4. (CVSS 7.5 · CWE-248 CWE-131) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.54.0CVE-2026-25681 — vulnerable dependency golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.54.0CVE-2026-27136 — vulnerable dependency golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass Fix: Upgrade to 0.55.0. (CVSS 8.1 · CWE-1021) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.54.0CVE-2026-39821 — vulnerable dependency golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing Fix: Upgrade to 0.55.0. (CVSS 8.2 · CWE-1289) details
  • 🟠 [HIGH · IaC] dnsseeder/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] miner/vllm-miner/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] node/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] proxy/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] spv/tools/DockerfileImage user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Fix: Add 'USER ' line to the Dockerfile
  • 🟠 [HIGH · IaC] spv/tools/Dockerfile'apt-get' missing '--no-install-recommends' '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y git' Fix: Add '--no-install-recommends' flag to 'apt-get'
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-c4j6-fc7j-m34r — vulnerable dependency Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades Fix: Upgrade to 15.5.16. (CVSS 8.6) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-43fc-jf86-j433 — vulnerable dependency Axios is Vulnerable to Denial of Service via proto Key in mergeConfig Fix: Upgrade to 1.13.5. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] lodash 4.17.21GHSA-r5fr-rjxr-66jc — vulnerable dependency lodash vulnerable to Code Injection via _.template imports key names Fix: Upgrade to 4.18.0. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-267c-6grr-h53f — vulnerable dependency Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes Fix: Upgrade to 15.5.16. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-cvx7-x8pj-x2gw — vulnerable dependency CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification Fix: Upgrade to 1.12.2. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-35jp-ww65-95wh — vulnerable dependency axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy Fix: Upgrade to 1.16.0. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-h75p-j8xm-m278 — vulnerable dependency CoreDNS Loop Detection Denial of Service Vulnerability Fix: Upgrade to 1.14.2. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] ecdsa 0.19.1GHSA-wj6h-64fc-37mp — vulnerable dependency Minerva timing attack on P-256 in python-ecdsa Fix: No fixed version yet — assess exposure / pin. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] flatted 3.3.3GHSA-rf6f-7fwh-wjgh — vulnerable dependency Prototype Pollution via parse() in NodeJS flatted Fix: Upgrade to 3.4.2. (CVSS 8.9) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-pf86-5x62-jrwf — vulnerable dependency Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking Fix: Upgrade to 1.15.1. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-2w69-qvjg-hvjx — vulnerable dependency React Router vulnerable to XSS via Open Redirects Fix: Upgrade to 7.12.0. (CVSS 8) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0GO-2026-4918 — vulnerable dependency When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_F Fix: Upgrade to 0.53.0. (CVSS 7.5)
  • 🟠 [HIGH · SCA] flatted 3.3.3GHSA-25h7-pfq9-p65f — vulnerable dependency flatted vulnerable to unbounded recursion DoS in parse() revive phase Fix: Upgrade to 3.4.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-q8qp-cvcw-x6jj — vulnerable dependency Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking Fix: Upgrade to 1.15.2. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-63cw-r7xf-jmwr — vulnerable dependency CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification Fix: Upgrade to 1.14.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-p92q-9vqr-4j8v — vulnerable dependency Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter Fix: Upgrade to 1.16.0. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v3 v3.0.4GHSA-78h2-9frx-2jm8 — vulnerable dependency Go JOSE Panics in JWE decryption Fix: Upgrade to 3.0.5. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/go-jose/go-jose/v4 v4.1.3GHSA-78h2-9frx-2jm8 — vulnerable dependency Go JOSE Panics in JWE decryption Fix: Upgrade to 4.1.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-pmwg-cvhr-8vh7 — vulnerable dependency Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 Fix: Upgrade to 1.15.1. (CVSS 7.2) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-777c-7fjr-54vf — vulnerable dependency Allocation of Resources Without Limits or Throttling in Axios Fix: Upgrade to 1.16.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3GHSA-5375-pq7m-f5r2 — vulnerable dependency @grpc/grpc-js: A malformed request can cause a server crash Fix: Upgrade to 1.14.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] @grpc/grpc-js 1.14.3GHSA-99f4-grh7-6pcq — vulnerable dependency @grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash Fix: Upgrade to 1.14.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-hfxv-24rg-xrqf — vulnerable dependency Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection Fix: Upgrade to 1.16.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-36qx-fr4f-26g5 — vulnerable dependency Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n Fix: Upgrade to 15.5.16. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-685m-2w69-288q — vulnerable dependency protobuf.js: Denial of service through unbounded protobuf recursion Fix: Upgrade to 7.5.6. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5006 — vulnerable dependency When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. D Fix: Upgrade to 0.52.0. (CVSS 8.7)
  • 🟠 [HIGH · SCA] minimatch 3.1.2GHSA-3ppc-4f35-3m26 — vulnerable dependency minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern Fix: Upgrade to 3.1.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5GHSA-3ppc-4f35-3m26 — vulnerable dependency minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern Fix: Upgrade to 9.0.6. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-mg66-mrh9-m8jx — vulnerable dependency Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components Fix: Upgrade to 15.5.16. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-26hh-7cqf-hhc6 — vulnerable dependency Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up Fix: Upgrade to 15.5.18. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5017 — vulnerable dependency A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The bl Fix: Upgrade to 0.52.0. (CVSS 7.5)
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-j5f8-grm9-p9fc — vulnerable dependency Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection Fix: Upgrade to 1.16.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-vp29-5652-4fw9 — vulnerable dependency CoreDNS has TSIG authentication bypass on gRPC and QUIC transports Fix: Upgrade to 1.14.3. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-75px-5xx7-5xc7 — vulnerable dependency protobuf.js: Code generation gadget after prototype pollution Fix: Upgrade to 7.5.6. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2GHSA-7r86-cg39-jmmj — vulnerable dependency minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments Fix: Upgrade to 3.1.3. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5GHSA-7r86-cg39-jmmj — vulnerable dependency minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments Fix: Upgrade to 9.0.7. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] next 15.5.12GHSA-492v-c6pp-mqqv — vulnerable dependency Next.js has a Middleware / Proxy bypass through dynamic route parameter injection Fix: Upgrade to 15.5.16. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] golang.org/x/net v0.49.0GO-2026-5026 — vulnerable dependency The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("x Fix: Upgrade to 0.55.0. (CVSS 8.2)
  • 🟠 [HIGH · SCA] golang.org/x/net v0.54.0GO-2026-5026 — vulnerable dependency The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("x Fix: Upgrade to 0.55.0. (CVSS 8.2)
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-8v8x-cx79-35w7 — vulnerable dependency React Router SSR XSS in ScrollRestoration Fix: Upgrade to 7.12.0. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-2wpx-qpw2-g5h5 — vulnerable dependency CoreDNS' DoQ worker pool does not bound stream backlog Fix: Upgrade to 1.14.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] vllm 0.20.2GHSA-q8gq-377p-jq3r — vulnerable dependency vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution Fix: Upgrade to 0.22.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5021 — vulnerable dependency Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' Fix: Upgrade to 0.52.0. (CVSS 7.4)
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-3g43-6gmg-66jw — vulnerable dependency axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge Fix: Upgrade to 1.15.2. (CVSS 7) details
  • 🟠 [HIGH · SCA] minimatch 3.1.2GHSA-23c5-xmqv-rm74 — vulnerable dependency minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions Fix: Upgrade to 3.1.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] minimatch 9.0.5GHSA-23c5-xmqv-rm74 — vulnerable dependency minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions Fix: Upgrade to 9.0.7. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/quic-go/quic-go v0.42.0GHSA-47m2-4cr7-mhcw — vulnerable dependency quic-go: Panic occurs when queuing undecryptable packets after handshake completion Fix: Upgrade to 0.49.1. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] ujson 5.12.0GHSA-c38f-wx89-p2xg — vulnerable dependency UltraJSON has a Memory Leak in ujson.dump() on Write Failure Fix: Upgrade to 5.12.1. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-49rj-9fvp-4h2h — vulnerable dependency React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE Fix: Upgrade to 7.14.2. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5023 — vulnerable dependency Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed othe Fix: Upgrade to 0.52.0. (CVSS 7.1)
  • 🟠 [HIGH · SCA] form-data 4.0.5GHSA-hmw2-7cc7-3qxx — vulnerable dependency form-data: CRLF injection in form-data via unescaped multipart field names and filenames Fix: Upgrade to 4.0.6. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GHSA-w879-237q-wc7r — vulnerable dependency golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS Fix: Upgrade to 0.52.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5018 — vulnerable dependency The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or Fix: Upgrade to 0.52.0. (CVSS 7.5)
  • 🟠 [HIGH · SCA] picomatch 2.3.1GHSA-c2c7-rcm5-vvqj — vulnerable dependency Picomatch has a ReDoS vulnerability via extglob quantifiers Fix: Upgrade to 2.3.2. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] picomatch 4.0.3GHSA-c2c7-rcm5-vvqj — vulnerable dependency Picomatch has a ReDoS vulnerability via extglob quantifiers Fix: Upgrade to 4.0.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2GHSA-qrp7-cvwr-j2c6 — vulnerable dependency Caddy: Windows file_server path authorization bypass via encoded backslash Fix: Upgrade to 2.11.4. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-66ff-xgx4-vchm — vulnerable dependency protobuf.js: Code injection through bytes field defaults in generated toObject code Fix: Upgrade to 7.5.6. (CVSS 7.7) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-h8mm-c463-wjq3 — vulnerable dependency CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass) Fix: Upgrade to 1.14.3. (CVSS 8.2) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-93mf-426m-g6x9 — vulnerable dependency CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion Fix: Upgrade to 1.12.4. (CVSS 7.1) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5015 — vulnerable dependency SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a Fix: Upgrade to 0.52.0. (CVSS 7.5)
  • 🟠 [HIGH · SCA] axios 1.13.2GHSA-6chq-wfr3-2hj9 — vulnerable dependency Axios: Header Injection via Prototype Pollution Fix: Upgrade to 1.15.1. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] pyjwt 2.11.0GHSA-xgmm-8j9v-c9wx — vulnerable dependency PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed Fix: Upgrade to 2.13.0. (CVSS 7.4) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-c9v3-4pv7-87pr — vulnerable dependency CoreDNS ACL Bypass Fix: Upgrade to 1.14.2. (CVSS 7.7) details
  • 🟠 [HIGH · SCA] github.com/coredns/coredns v1.11.3GHSA-qhmp-q7xh-99rh — vulnerable dependency CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC Fix: Upgrade to 1.14.3. (CVSS 8.7) details
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-jvwf-75h9-cwgg — vulnerable dependency protobuf.js: Process-wide denial of service through unsafe option paths Fix: Upgrade to 7.5.6. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] starlette 0.52.1GHSA-wqp7-x3pw-xc5r — vulnerable dependency Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows Fix: Upgrade to 1.1.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GHSA-q4h4-gmj2-qvw2 — vulnerable dependency golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic Fix: Upgrade to 0.52.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5013 — vulnerable dependency An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. Fix: Upgrade to 0.52.0. (CVSS 7.5)
  • 🟠 [HIGH · SCA] golang.org/x/crypto v0.48.0GO-2026-5014 — vulnerable dependency When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, Fix: Upgrade to 0.52.0. (CVSS 8.8)
  • 🟠 [HIGH · SCA] protobufjs 7.5.4GHSA-wcpc-wj8m-hjx6 — vulnerable dependency protobufjs: Denial of service through unbounded Any expansion during JSON conversion Fix: Upgrade to 7.6.1. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-8x6r-g9mw-2r78 — vulnerable dependency React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint Fix: Upgrade to 7.15.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] valibot 0.37.0GHSA-vqpr-j7v3-hqw9 — vulnerable dependency Valibot has a ReDoS vulnerability in EMOJI_REGEX Fix: Upgrade to 1.2.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-rxv8-25v2-qmq8 — vulnerable dependency React Router vulnerable to Denial of Service via reflected user input in single-fetch Fix: Upgrade to 7.14.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] starlette 0.52.1GHSA-82w8-qh3p-5jfq — vulnerable dependency Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS Fix: Upgrade to 1.3.1. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] pyjwt 2.11.0GHSA-752w-5fwx-jx9f — vulnerable dependency PyJWT accepts unknown crit header extensions Fix: Upgrade to 2.12.0. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] python-multipart 0.0.27GHSA-5rvq-cxj2-64vf — vulnerable dependency python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service Fix: Upgrade to 0.0.30. (CVSS 7.5) details
  • 🟠 [HIGH · SCA] github.com/caddyserver/caddy/v2 v2.11.2GHSA-f59h-q822-g45g — vulnerable dependency Caddy: FastCGI header normalization bypass in forward_auth copy_headers Fix: Upgrade to 2.11.4. (CVSS 8.1) details
  • 🟠 [HIGH · SCA] react-router 7.11.0GHSA-8646-j5j9-6r62 — vulnerable dependency React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets Fix: Upgrade to 7.13.2. (CVSS 8) details
  • 🟠 [HIGH · SCA] cryptography 46.0.7GHSA-537c-gmf6-5ccf — vulnerable dependency Vulnerable OpenSSL included in cryptography wheels Fix: Upgrade to 48.0.1. (CVSS 7.5) details
  • 🟡 [MEDIUM · SCA] pyo3 0.24.2GHSA-chgr-c6px-7xpp — vulnerable dependency PyO3 has a missing Sync bound on PyCFunction::new_closure closures Fix: Upgrade to 0.29.0. (CVSS 6.3) details (✓ 3 methods agree)
  • 🟡 [MEDIUM · SCA] serde_with 3.18.0GHSA-7gcf-g7xr-8hxj — vulnerable dependency serde_with: KeyValueMap serialization panics on empty sequence or map entries Fix: Upgrade to 3.21.0. (CVSS 5.1) details (✓ 3 methods agree)
  • 🟡 [MEDIUM · SCA] github.com/go-viper/mapstructure/v2 v2.2.1GHSA-2464-8j7c-4cjm — vulnerable dependency go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data Fix: Upgrade to 2.4.0. (CVSS 5.3) details (✓ 2 methods agree)
  • 🟡 [MEDIUM · SCA] github.com/go-viper/mapstructure/v2 v2.2.1GHSA-fv92-fjc5-jj9h — vulnerable dependency mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data Fix: Upgrade to 2.3.0. (CVSS 5.3) details (✓ 2 methods agree)
  • 🟡 [MEDIUM · SCA] lodash 4.17.21GHSA-xxjr-mmjv-4gpg — vulnerable dependency Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions Fix: Upgrade to 4.17.23. (CVSS 6.9) details
  • 🟡 [MEDIUM · SCA] axios 1.13.2GHSA-fvcv-3m26-pcqx — vulnerable dependency Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Fix: Upgrade to 1.15.0. (CVSS 4.8) details
  • …and 112 more (the least-critical, trimmed to fit GitHub's comment limit).

📦 New dependencies

This PR adds 0 and upgrades 7 third-party package(s). Review new supply-chain surface (licenses, maintainers, CVE exposure).

Upgraded (7)

  • golang.org/x/crypto v0.48.0 → v0.52.0 (go-module)
  • golang.org/x/mod v0.33.0 → v0.35.0 (go-module)
  • golang.org/x/net v0.51.0 → v0.54.0 (go-module)
  • golang.org/x/sys v0.41.0 → v0.45.0 (go-module)
  • golang.org/x/term v0.40.0 → v0.43.0 (go-module)
  • golang.org/x/text v0.34.0 → v0.37.0 (go-module)
  • golang.org/x/tools v0.42.0 → v0.44.0 (go-module)
Scan summary
Category Scope Findings
Secrets this diff 0
Static analysis changed files 0
Dependencies + IaC repo baseline 87
Known CVEs repo baseline 658

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant