Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
{ "url": "https://pkg.go.dev/vuln/GO-2026-5917", "review_status": "UNREVIEWED" }
"https://vuln.go.dev/ID/GO-2026-5917.json"