This page collects WhisperX intelligence signals tagged #golang. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical vulnerability in the widely used `golang.org/x/net` library allows a simple HTTP/2 request to crash Go-based servers. The flaw, tracked as CVE-2026-27141 (GO-2026-4559), stems from a missing nil check in the HTTP/2 frame handling code. Specifically, sending frames with type codes between 0x0a and 0x0f will t...
A security vulnerability in the Holocron application's SQLite storage layer creates its database directory with overly permissive, world-readable permissions. The flaw, coded in the `New()` function within `internal/store/sqlite/sqlite.go`, explicitly calls for the directory to be created with `0755` permissions. This ...
OpenBao 项目的 `release/2.4.x` 分支中,一个被标记为“可被利用”的高危安全漏洞已被自动化工具 govulncheck 检出。该漏洞源于项目依赖的 OpenTelemetry Go SDK,其核心风险在于可能通过 PATH 环境变量劫持,导致任意代码执行。此漏洞在 OpenTelemetry SDK 的 v1.40.0 版本中已得到修复,但当前 OpenBao 分支仍在使用存在缺陷的旧版本。 漏洞 ID 为 GO-2026-4394,直接影响了 OpenBao 代码库中的多个关键位置。受影响的文件与函数范围广泛,涉及 PKI 证书管理、集群操作、代理与服务器启动命令,以及诊断工具的核心逻辑。具体受影响的代码路...
A critical production dependency in a syslog module is anchored to an unreleased, unvetted external library, raising immediate security and supply chain risks. The module depends on `github.com/gravwell/srslog` at a pseudo-version (`v0.0.0-20250709201549-e1b2fdb7e306`), a practice that complicates security audits and v...
A critical security patch for Red Hat's OpenShift API for Data Protection (OADP) 1.5 is addressing multiple high-severity vulnerabilities in its core Go programming language toolchain and foundational libraries. The update is a forced response to a cluster of CVEs, including a significant X.509 email address constraint...
A critical, reachable vulnerability has been confirmed in the OpenBao secrets management platform, exposing its `release/2.5.x` branch to a gRPC authorization bypass. The flaw, tracked as GO-2026-4762, stems from a missing leading slash in the HTTP/2 `:path` header within the `google.golang.org/grpc` library, a core de...
A critical security update for the widely-used `golang.org/x/crypto` library patches two severe vulnerabilities in SSH servers that could allow attackers to trigger unbounded memory consumption and denial-of-service attacks. The update, jumping from version 0.37.0 to 0.45.0, addresses flaws that directly impact the sta...
OpenBao Secrets Operator 项目的主分支代码库中,发现了一个可被利用的严重安全漏洞。漏洞追踪编号为 GO-2024-2687,存在于多个核心依赖中,包括 `golang.org/x/net` 等。攻击者通过向 HTTP/2 端点发送过量的 CONTINUATION 帧,可以强制服务器读取任意数量的头部数据,从而可能耗尽服务器资源或导致服务中断。该漏洞的威胁级别为“可触及”,意味着在现有代码路径中存在被利用的风险。 具体而言,该漏洞源于 HTTP/2 协议实现中对 CONTINUATION 帧的处理缺陷。为了维护 HPACK 状态,服务器必须解析和处理连接上的所有 HEADERS 和 CONTINUATION ...
A critical vulnerability in the widely-used Go-JOSE library triggers a runtime panic when processing malformed JSON Web Encryption (JWE) objects. The flaw, tracked as CVE-2026-34986, resides in the key unwrapping logic and can crash any service that attempts to decrypt a JWE with a specific, anomalous structure. This c...
A critical security vulnerability in the widely-used Go-JOSE library forces an immediate patch to version 4.1.4. The flaw, tracked as CVE-2026-34986, causes a runtime panic when the library attempts to decrypt a JSON Web Encryption (JWE) object that uses a key wrapping algorithm (identified by an `alg` field ending in ...
A critical security flaw in the widely-used `github.com/go-jose/go-jose/v4` library has been patched, addressing a vulnerability that could cause applications to crash when processing malformed encrypted data. The issue, tracked as CVE-2026-34986, triggers a panic during the decryption of specific JSON Web Encryption (...
A high-severity supply chain vulnerability has been discovered within the Charon backend's core binary. The Grype scan flagged GHSA-x744-4wpc-v9h2, a critical authorization bypass flaw with a CVSS score of 8.8, embedded in the `github.com/docker/docker` SDK version v28.5.2+incompatible. This specific vulnerability allo...
A critical security vulnerability in the widely-used Go-Jose library triggers a panic during the decryption of certain JSON Web Encryption (JWE) objects. The flaw, tracked as CVE-2026-34986, is present in versions prior to v4.1.4 and is triggered when a JWE object's `alg` (algorithm) field specifies a key wrapping algo...
A critical security vulnerability in the AWS SDK for Go's S3 client library has triggered an urgent, mandatory update for all dependent projects. The GitHub security advisory GHSA-xmrv-pmrh-hhx2, linked to the AWS/aws-sdk-go-v2 repository, necessitates an immediate upgrade from version 1.69.0 to the patched version 1.9...
A critical security flaw in the hub server leaves it vulnerable to denial-of-service attacks. The system lacks any rate limiting on incoming connections, allowing a malicious or even misconfigured client to rapidly connect and disconnect. This pattern can exhaust server goroutines, crippling the service. The vulnerabil...
A critical security flaw in the widely-used Go-JOSE library forces a mandatory patch to version 4.1.4. The vulnerability, tracked as CVE-2026-34986, causes the library to panic and crash when attempting to decrypt a specially crafted JSON Web Encryption (JWE) object. This is not a theoretical weakness; it is a denial-o...
A critical security update has been flagged for the OpenTelemetry Go SDK, mandating an immediate dependency upgrade from version 1.37.0 to 1.43.0. The update, managed via an automated Renovate pull request, is explicitly tagged with a [SECURITY] label, signaling the presence of vulnerabilities that are now addressed in...
A high-severity security flaw has been identified in the Engram project's starter utility, where the use of a dynamic argument vector (`argv`) with the `syscall.Exec` function creates a direct path for code injection. The vulnerability, flagged as 'Blocking / High' by automated scanning, resides in `cmd/starter/main.go...
A critical memory-safety vulnerability, CVE-2026-33816, has been disclosed in the widely-used `github.com/jackc/pgx/v5` PostgreSQL database driver for Go. The flaw carries a maximum CVSS severity score of 9.8 out of 10, indicating a risk of complete system compromise. The vulnerability is network-exploitable, requires ...
A critical security flaw has been identified in the widely-used GORM PostgreSQL driver, exposing applications to a severe remote code execution risk. The vulnerability, tracked as CVE-2026-33815, carries a maximum CVSS score of 9.8 and originates not from GORM itself, but from its transitive dependency on the `github.c...