Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
GO-2025-4175
standard library- CVE-2025-61727
- Affects: crypto/x509
- Published: Dec 02, 2025
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
- CVE-2025-13353, GHSA-69jw-4jj8-fcxm
- Affects: github.com/cloudflare/gokey
- Published: Dec 02, 2025
- Unreviewed
gokey allows secret recovery from a seed file without the master password in github.com/cloudflare/gokey
- CVE-2025-12756, GHSA-p6gj-jc38-x2m7
- Affects: github.com/mattermost/mattermost, github.com/mattermost/mattermost, and 6 more
- Published: Dec 02, 2025
- Unreviewed
Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .
- CVE-2025-66410, GHSA-jrhg-82w2-vvj7
- Affects: github.com/flipped-aurora/gin-vue-admin
- Published: Dec 02, 2025
- Unreviewed
Gin-vue-admin has an arbitrary file deletion vulnerability in github.com/flipped-aurora/gin-vue-admin
- CVE-2025-60632, GHSA-vgq7-9r5r-j9v3
- Affects: github.com/free5gc/pcf
- Published: Dec 02, 2025
- Unreviewed
Free5GC is vulnerable to DoS through its Npcf_BDTPolicyControl POST API in github.com/free5gc/pcf
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.