Go Vulnerability Database

• GHSA-r4v7-6wcg-ghj5
• Affects: github.com/gtsteffaniak/filebrowser
• Published: Jun 25, 2026
• Unreviewed

FileBrowser: Missing Rate Limiting on Authentication Endpoint Enables Brute Force Attacks in github.com/gtsteffaniak/filebrowser. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/gtsteffaniak/filebrowser before v0.0.0-20260522161427-fa5abc8c67f3a.

• CVE-2026-52802, GHSA-xxhq-69mf-w8cr
• Affects: gogs.io/gogs
• Published: Jun 25, 2026
• Unreviewed

Gogs has an Open Redirect via redirect_to in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: gogs.io/gogs before v0.14.3.

• CVE-2026-45721, GHSA-xwcr-wm99-g9jc
• Affects: github.com/xyproto/algernon
• Published: Jun 25, 2026
• Unreviewed

Algernon: handler.lua discovery walks parent directories above the server root in github.com/xyproto/algernon

• CVE-2026-34742, GHSA-xw59-hvm2-8pj6
• Affects: github.com/modelcontextprotocol/go-sdk
• Published: Jun 25, 2026
• Unreviewed

DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost in github.com/modelcontextprotocol/go-sdk

• CVE-2026-34762, GHSA-xw45-cc32-442f
• Affects: github.com/ellanetworks/core
• Published: Jun 25, 2026
• Unreviewed

Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber in github.com/ellanetworks/core