{"url":"http://public2.vulnerablecode.io/api/packages/994118?format=json","purl":"pkg:golang/github.com/go-jose/go-jose/v4@4.1.4","type":"golang","namespace":"github.com/go-jose/go-jose","name":"v4","version":"4.1.4","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/349524?format=json","vulnerability_id":"VCID-r5yf-qtqg-93cs","summary":"Go JOSE Panics in JWE decryption\n### Impact\n\nDecrypting a JSON Web Encryption (JWE) object will panic if the `alg` field indicates a key wrapping algorithm ([one ending in `KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants), with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. The panic happens when `cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with a zero or negative length based on the length of the `encrypted_key`.\n\nThis code path is reachable from `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by `Decrypt()` on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.\n\nThis panic is also reachable by calling `cipher.KeyUnwrap()` directly with any `ciphertext` parameter less than 16 bytes long, but calling this function directly is less common.\n\nPanics can lead to denial of service.\n\n### Fixed In\n\n4.1.4 and v3.0.5\n\n### Workarounds\n\nIf the list of `keyAlgorithms` passed to `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key wrapping algorithms (those ending in `KW`), your application is unaffected.\n\nIf your application uses key wrapping, you can prevalidate to the JWE objects to ensure the `encrypted_key` field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second `.`).\n\n### Thanks\n\nGo JOSE thanks Datadog's Security team for finding this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34986.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34986.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34986","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02988","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03001","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03002","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03026","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05371","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05291","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05138","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05135","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.0537","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05329","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05205","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05191","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06144","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06048","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06784","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06719","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06726","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06741","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06772","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06774","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34986"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34986","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34986"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/go-jose/go-jose","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-jose/go-jose"},{"reference_url":"https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:21:42Z/"}],"url":"https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34986","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34986"},{"reference_url":"https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:21:42Z/"}],"url":"https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136026","reference_id":"1136026","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136026"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136027","reference_id":"1136027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136027"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136028","reference_id":"1136028","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136028"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455470","reference_id":"2455470","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455470"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10125","reference_id":"RHSA-2026:10125","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10125"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10130","reference_id":"RHSA-2026:10130","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10130"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10135","reference_id":"RHSA-2026:10135","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10135"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11070","reference_id":"RHSA-2026:11070","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11070"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11217","reference_id":"RHSA-2026:11217","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11217"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11512","reference_id":"RHSA-2026:11512","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11512"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11688","reference_id":"RHSA-2026:11688","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11688"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11856","reference_id":"RHSA-2026:11856","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11856"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11916","reference_id":"RHSA-2026:11916","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11916"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11996","reference_id":"RHSA-2026:11996","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11996"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:12116","reference_id":"RHSA-2026:12116","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:12116"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:12277","reference_id":"RHSA-2026:12277","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:12277"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:12279","reference_id":"RHSA-2026:12279","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:12279"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13791","reference_id":"RHSA-2026:13791","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13791"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13829","reference_id":"RHSA-2026:13829","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13829"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:16696","reference_id":"RHSA-2026:16696","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:16696"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17040","reference_id":"RHSA-2026:17040","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17040"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17121","reference_id":"RHSA-2026:17121","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17121"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17123","reference_id":"RHSA-2026:17123","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17123"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17287","reference_id":"RHSA-2026:17287","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17287"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17458","reference_id":"RHSA-2026:17458","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17458"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17459","reference_id":"RHSA-2026:17459","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17459"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17547","reference_id":"RHSA-2026:17547","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17547"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:17550","reference_id":"RHSA-2026:17550","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:17550"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8490","reference_id":"RHSA-2026:8490","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8490"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8491","reference_id":"RHSA-2026:8491","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8491"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8493","reference_id":"RHSA-2026:8493","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8493"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9385","reference_id":"RHSA-2026:9385","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9385"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9388","reference_id":"RHSA-2026:9388","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9388"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9448","reference_id":"RHSA-2026:9448","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9448"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9453","reference_id":"RHSA-2026:9453","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9453"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994118?format=json","purl":"pkg:golang/github.com/go-jose/go-jose/v4@4.1.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-jose/go-jose/v4@4.1.4"}],"aliases":["CVE-2026-34986","GHSA-78h2-9frx-2jm8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r5yf-qtqg-93cs"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-jose/go-jose/v4@4.1.4"}