OSV - Open Source Vulnerabilities

GO-2025-4133

Go/github.com/mattermost/mattermost-server
Go/github.com/mattermost/mattermost-server/v5
Go/github.com/mattermost/mattermost-server/v6
Go/github.com/mattermost/mattermost/server/v8

Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server

1 hour ago

Fix available

GO-2025-4138

Go/github.com/esm-dev/esm.sh

esm.sh CDN service has arbitrary file write via tarslip in github.com/esm-dev/esm.sh

1 hour ago

Fix available

GO-2025-4139

Go/github.com/esm-dev/esm.sh

esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript in github.com/esm-dev/esm.sh

1 hour ago

Fix available

GO-2025-4146

Go/github.com/mattermost/mattermost-server
Go/github.com/mattermost/mattermost-server/v5

Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server

1 hour ago

Fix available

GO-2025-4147

Go/github.com/mindersec/minder

Minder does not sandbox http.send in Rego programs in github.com/mindersec/minder

1 hour ago

Fix available

GO-2025-4149

Go/github.com/google/osv-scalibr

OSV-SCALIBR has NULL Pointer Dereference in github.com/google/osv-scalibr

1 hour ago

Fix available

GO-2025-4150

Go/github.com/openfga/openfga

OpenFGA Improper Policy Enforcement in github.com/openfga/openfga

1 hour ago

Fix available

GO-2025-4151

Go/github.com/authzed/spicedb

SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results in github.com/authzed/spicedb

1 hour ago

Fix available

GO-2025-4152

Go/github.com/hashicorp/terraform-provider-vault

Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault

1 hour ago

No fix available

GO-2025-4153

Go/github.com/grafana/grafana

Grafana Incorrect Privilege Assignment vulnerability in github.com/grafana/grafana

1 hour ago

No fix available

GO-2025-4156

Go/github.com/openbao/openbao

OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation in github.com/openbao/openbao

1 hour ago

No fix available

GO-2025-4157

Go/github.com/babylonlabs-io/babylon
Go/github.com/babylonlabs-io/babylon/v2
Go/github.com/babylonlabs-io/babylon/v3
Go/github.com/babylonlabs-io/babylon/v4

Babylon's malformed vote extensions are not rejected in github.com/babylonlabs-io/babylon

1 hour ago

Fix available

GO-2025-4158

Go/github.com/lf-edge/ekuiper
Go/github.com/lf-edge/ekuiper/v2

LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction in github.com/lf-edge/ekuiper

1 hour ago

Fix available

GO-2025-4159

Go/github.com/babylonlabs-io/babylon
Go/github.com/babylonlabs-io/babylon/v2
Go/github.com/babylonlabs-io/babylon/v3
Go/github.com/babylonlabs-io/babylon/v4

Babylon's BIP322 signature implementation is not fully compliant to the spec in github.com/babylonlabs-io/babylon

1 hour ago

Fix available

GO-2025-4160

Go/github.com/anchore/grype

Grype has a credential disclosure vulnerability in its JSON output in github.com/anchore/grype

1 hour ago

Fix available

GHSA-6gxw-85q2-q646

Go/github.com/anchore/grype

Grype has a credential disclosure vulnerability in its JSON output

5 hours ago

Fix available
Severity - 8.2 (High)