apk package

chainguard/src-fingerprint-fips

pkg:apk/chainguard/src-fingerprint-fips

Vulnerabilities (65)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-45571		—	< 0.19.0-r34	0.19.0-r34	May 19, 2026	### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-g
CVE-2026-45570	low	—	< 0.19.0-r34	0.19.0-r34	May 19, 2026	### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedd
CVE-2026-45022	hig	—	< 0.19.0-r33	0.19.0-r33	May 11, 2026	### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the sa
CVE-2026-41506	Med	4.7	< 0.19.0-r30	0.19.0-r30	May 8, 2026	go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
CVE-2026-42501	Hig	7.5	< 0.19.0-r31	0.19.0-r31	May 7, 2026	A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499	Hig	7.5	< 0	0	May 7, 2026	Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836	Hig	7.5	< 0.19.0-r31	0.19.0-r31	May 7, 2026	The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826	Med	6.1	< 0	0	May 7, 2026	If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825	Med	5.3	< 0	0	May 7, 2026	ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823	Med	6.1	< 0	0	May 7, 2026	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820	Hig	7.5	< 0	0	May 7, 2026	Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819	Med	5.3	< 0.19.0-r31	0.19.0-r31	May 7, 2026	The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817	Med	5.9	< 0.19.0-r31	0.19.0-r31	May 7, 2026	The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814	Hig	7.5	< 0.19.0-r31	0.19.0-r31	May 7, 2026	When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811	Hig	7.5	< 0	0	May 7, 2026	When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-34165	Med	5.0	< 0.19.0-r29	0.19.0-r29	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762	Low	2.8	< 0.19.0-r29	0.19.0-r29	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-27142	Med	6.1	< 0	0	Mar 6, 2026	Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139	Low	2.5	< 0.19.0-r28	0.19.0-r28	Mar 6, 2026	On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679	Hig	7.5	< 0.19.0-r28	0.19.0-r28	Mar 6, 2026	url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-45571May 19, 2026
affected < 0.19.0-r34fixed 0.19.0-r34
### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-g
CVE-2026-45570lowMay 19, 2026
affected < 0.19.0-r34fixed 0.19.0-r34
### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedd
CVE-2026-45022higMay 11, 2026
affected < 0.19.0-r33fixed 0.19.0-r33
### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the sa
CVE-2026-41506MedMay 8, 2026
affected < 0.19.0-r30fixed 0.19.0-r30
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
CVE-2026-42501HigMay 7, 2026
affected < 0.19.0-r31fixed 0.19.0-r31
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499HigMay 7, 2026
affected < 0fixed 0
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836HigMay 7, 2026
affected < 0.19.0-r31fixed 0.19.0-r31
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826MedMay 7, 2026
affected < 0fixed 0
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825MedMay 7, 2026
affected < 0fixed 0
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823MedMay 7, 2026
affected < 0fixed 0
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820HigMay 7, 2026
affected < 0fixed 0
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819MedMay 7, 2026
affected < 0.19.0-r31fixed 0.19.0-r31
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817MedMay 7, 2026
affected < 0.19.0-r31fixed 0.19.0-r31
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814HigMay 7, 2026
affected < 0.19.0-r31fixed 0.19.0-r31
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811HigMay 7, 2026
affected < 0fixed 0
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-34165MedMar 31, 2026
affected < 0.19.0-r29fixed 0.19.0-r29
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762LowMar 31, 2026
affected < 0.19.0-r29fixed 0.19.0-r29
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-27142MedMar 6, 2026
affected < 0fixed 0
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139LowMar 6, 2026
affected < 0.19.0-r28fixed 0.19.0-r28
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679HigMar 6, 2026
affected < 0.19.0-r28fixed 0.19.0-r28
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Page 1 of 4