StashApp Container Image Exposed: Critical SQL Injection & High-Severity IPv6 Parsing Flaws Detected

A critical security scan has flagged the official StashApp container image with two severe vulnerabilities, including a critical authorization bypass that enables arbitrary SQL execution. The automated scan, conducted on March 19, 2026, identified the flaws in the `stashapp/stash:latest` image, raising immediate concerns for any deployment using this version.

The most severe issue is tracked as CVE-2026-32767, rated CRITICAL, and resides in the `libexpat` library (version 2.7.3-r0). The vulnerability is described as an authorization bypass in the SiYuan component that allows for arbitrary SQL execution—a flaw that could lead to complete system compromise. A second, HIGH-severity vulnerability (CVE-2026-25679) was found in the Go standard library (`stdlib` v1.24.3), involving incorrect parsing of IPv6 host literals in the `net/url` package, which could be exploited for server-side request forgery or other network-based attacks.

The findings, automatically generated by the RedFlag scanner, indicate that these are not theoretical risks but active exposures in a widely used application image. Patched versions are available (`libexpat` 2.7.5-r0 and Go 1.25.8/1.26.1), meaning the risk is currently mitigated by an update. However, any unpatched instance of StashApp remains directly vulnerable to remote code execution and potential data exfiltration, demanding urgent remediation from system administrators and DevOps teams.