Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
- CVE-2025-3454, GHSA-9j65-rv5x-4vrf
- Affects: github.com/grafana/grafana
- Published: Jun 09, 2025
- Unreviewed
Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v0.0.0-20250424191517-1f707d16ed5d.
- CVE-2025-48710, GHSA-7633-x85h-5mqh
- Affects: github.com/kro-run/kro
- Published: Jun 09, 2025
- Unreviewed
kro Confused Deputy vulnerability in github.com/kro-run/kro
- CVE-2025-3260, GHSA-3px7-c4j3-576r
- Affects: github.com/grafana/grafana
- Published: Jun 09, 2025
- Unreviewed
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v0.0.0-20250521183405-c7a690348df7.
- CVE-2025-48494, GHSA-95rc-wc32-gm53
- Affects: github.com/forceu/gokapi
- Published: Jun 03, 2025
- Unreviewed
Gokapi vulnerable to stored XSS via uploading file with malicious file name in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.
- CVE-2025-48495, GHSA-4xg4-54hm-9j77
- Affects: github.com/forceu/gokapi
- Published: Jun 03, 2025
- Unreviewed
Gokapi has stored XSS vulnerability in friendly name for API keys in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/forceu/gokapi before v2.0.0.
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.