{"url":"http://public2.vulnerablecode.io/api/packages/994827?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3","type":"deb","namespace":"debian","name":"golang-github-go-git-go-git","version":"5.4.2-3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.16.2-1","latest_non_vulnerable_version":"5.16.2-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/24981?format=json","vulnerability_id":"VCID-62r9-cvp9-tfbg","summary":"go-git missing validation decoding Index v4 files leads to panic\n### Impact\n\n`go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.\n\nThis issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue.\n\nAn attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.\n\nExploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory.\n\n### Patches\n\nUsers should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Credit\n\ngo-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33762.json","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33762.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33762","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02157","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02249","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02463","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02359","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02381","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02358","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02345","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02344","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02329","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02335","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02433","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02415","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02404","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02356","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33762"},{"reference_url":"https://github.com/go-git/go-git","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-git/go-git"},{"reference_url":"https://github.com/go-git/go-git/releases/tag/v5.17.1","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:26Z/"}],"url":"https://github.com/go-git/go-git/releases/tag/v5.17.1"},{"reference_url":"https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:26Z/"}],"url":"https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33762","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33762"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584","reference_id":"1132584","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453382","reference_id":"2453382","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453382"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994829?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1"}],"aliases":["CVE-2026-33762","GHSA-gm2x-2g9h-ccm8"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-62r9-cvp9-tfbg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30778?format=json","vulnerability_id":"VCID-6smu-rrju-z7ca","summary":"Maliciously crafted Git server replies can cause DoS on go-git clients\n### Impact\nA denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. \n\nApplications using only the in-memory filesystem supported by `go-git` are not affected by this vulnerability.\nThis is a `go-git` implementation issue and does not affect the upstream `git` cli.\n\n### Patches\nUsers running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability.\n\n### Workarounds\nIn cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers.\n\n## Credit\nThanks to Ionut Lalu for responsibly disclosing this vulnerability to us.\n\n### References\n- [GHSA-mw99-9chc-xw7r](https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49568.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49568.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49568","reference_id":"","reference_type":"","scores":[{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29427","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29818","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29827","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29732","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29749","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29727","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29683","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29602","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29489","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29905","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29721","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29782","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30315","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49568"},{"reference_url":"https://github.com/go-git/go-git","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-git/go-git"},{"reference_url":"https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-12T18:15:52Z/"}],"url":"https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49568","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49568"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060701","reference_id":"1060701","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060701"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258165","reference_id":"2258165","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258165"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0298","reference_id":"RHSA-2024:0298","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0298"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0641","reference_id":"RHSA-2024:0641","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0641"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0642","reference_id":"RHSA-2024:0642","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0642"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0691","reference_id":"RHSA-2024:0691","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0691"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0692","reference_id":"RHSA-2024:0692","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0692"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0735","reference_id":"RHSA-2024:0735","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0735"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0740","reference_id":"RHSA-2024:0740","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0740"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0832","reference_id":"RHSA-2024:0832","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0832"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0833","reference_id":"RHSA-2024:0833","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0833"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0843","reference_id":"RHSA-2024:0843","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0843"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0845","reference_id":"RHSA-2024:0845","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0845"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0880","reference_id":"RHSA-2024:0880","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0880"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0989","reference_id":"RHSA-2024:0989","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0989"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1052","reference_id":"RHSA-2024:1052","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1052"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1557","reference_id":"RHSA-2024:1557","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1557"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1570","reference_id":"RHSA-2024:1570","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1570"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1896","reference_id":"RHSA-2024:1896","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1896"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3889","reference_id":"RHSA-2024:3889","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3889"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3925","reference_id":"RHSA-2024:3925","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3925"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4010","reference_id":"RHSA-2024:4010","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4010"},{"reference_url":"https://usn.ubuntu.com/8088-1/","reference_id":"USN-8088-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8088-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994828?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62r9-cvp9-tfbg"},{"vulnerability":"VCID-kqrm-h42a-13ce"},{"vulnerability":"VCID-m4t6-vddc-3bfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1"}],"aliases":["CVE-2023-49568","GHSA-mw99-9chc-xw7r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6smu-rrju-z7ca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/25856?format=json","vulnerability_id":"VCID-c5e4-td2w-37by","summary":"go-git clients vulnerable to DoS via maliciously crafted Git server replies\n### Impact\nA denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. \n\nThis is a `go-git` implementation issue and does not affect the upstream `git` cli.\n\n### Patches\nUsers running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.\n\n### Workarounds\nIn cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers.\n\n## Credit\nThanks to Ionut Lalu for responsibly disclosing this vulnerability to us.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21614.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21614.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21614","reference_id":"","reference_type":"","scores":[{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44684","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4489","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44858","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4486","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44913","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44906","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44841","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44754","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44761","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44879","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44819","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44871","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44873","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.4561","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21614"},{"reference_url":"https://github.com/go-git/go-git","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-git/go-git"},{"reference_url":"https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-06T16:34:38Z/"}],"url":"https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21614","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21614"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092679","reference_id":"1092679","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092679"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2335901","reference_id":"2335901","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2335901"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0401","reference_id":"RHSA-2025:0401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0401"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0444","reference_id":"RHSA-2025:0444","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0444"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0445","reference_id":"RHSA-2025:0445","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0445"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0654","reference_id":"RHSA-2025:0654","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0654"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0662","reference_id":"RHSA-2025:0662","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0662"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0907","reference_id":"RHSA-2025:0907","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0907"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1119","reference_id":"RHSA-2025:1119","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1119"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1704","reference_id":"RHSA-2025:1704","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1704"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1869","reference_id":"RHSA-2025:1869","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1869"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1870","reference_id":"RHSA-2025:1870","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1870"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1888","reference_id":"RHSA-2025:1888","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1888"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3069","reference_id":"RHSA-2025:3069","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3069"},{"reference_url":"https://usn.ubuntu.com/8088-1/","reference_id":"USN-8088-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8088-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994828?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62r9-cvp9-tfbg"},{"vulnerability":"VCID-kqrm-h42a-13ce"},{"vulnerability":"VCID-m4t6-vddc-3bfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1"}],"aliases":["CVE-2025-21614","GHSA-r9px-m959-cxf4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c5e4-td2w-37by"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/25939?format=json","vulnerability_id":"VCID-j8jp-r751-sbf8","summary":"go-git has an Argument Injection via the URL field\n### Impact\nAn argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`. \n\nSuccessful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries.\n\n### Affected versions\nUsers running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.\n\n### Workarounds\nIn cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.\n\n## Credit\nThanks to @vin01 for responsibly disclosing this vulnerability to us.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21613.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-21613.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21613","reference_id":"","reference_type":"","scores":[{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.8629","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.8628","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86261","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86268","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86263","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86246","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.8625","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86253","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86227","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86238","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0286","scoring_system":"epss","scoring_elements":"0.86208","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02937","scoring_system":"epss","scoring_elements":"0.86376","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21613"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/go-git/go-git","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-git/go-git"},{"reference_url":"https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T16:38:34Z/"}],"url":"https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21613","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21613"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092678","reference_id":"1092678","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092678"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2335888","reference_id":"2335888","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2335888"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0401","reference_id":"RHSA-2025:0401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0401"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0444","reference_id":"RHSA-2025:0444","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0444"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0445","reference_id":"RHSA-2025:0445","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0445"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0654","reference_id":"RHSA-2025:0654","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0654"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0662","reference_id":"RHSA-2025:0662","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0662"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0715","reference_id":"RHSA-2025:0715","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0715"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0754","reference_id":"RHSA-2025:0754","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0754"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0907","reference_id":"RHSA-2025:0907","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0907"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1119","reference_id":"RHSA-2025:1119","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1119"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11396","reference_id":"RHSA-2025:11396","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11396"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1704","reference_id":"RHSA-2025:1704","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1704"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1869","reference_id":"RHSA-2025:1869","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1869"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1870","reference_id":"RHSA-2025:1870","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1870"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1888","reference_id":"RHSA-2025:1888","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1888"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3069","reference_id":"RHSA-2025:3069","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3069"},{"reference_url":"https://usn.ubuntu.com/8088-1/","reference_id":"USN-8088-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8088-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994828?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62r9-cvp9-tfbg"},{"vulnerability":"VCID-kqrm-h42a-13ce"},{"vulnerability":"VCID-m4t6-vddc-3bfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1"}],"aliases":["CVE-2025-21613","GHSA-v725-9546-7q7m"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j8jp-r751-sbf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21072?format=json","vulnerability_id":"VCID-kqrm-h42a-13ce","summary":"go-git improperly verifies data integrity values for .idx and .pack files\n### Impact \n\nA vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`.\n\nFor context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly.\n\nNote that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server.\n\n### Patches\n\nUsers should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Workarounds\n\nIn case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. \n\n### Credit\n\nThanks @N0zoM1z0 for finding and reporting this issue privately to the `go-git` project.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25934.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25934.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25934","reference_id":"","reference_type":"","scores":[{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00347","published_at":"2026-04-16T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00352","published_at":"2026-04-13T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00355","published_at":"2026-04-12T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00371","published_at":"2026-04-02T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00359","published_at":"2026-04-09T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00362","published_at":"2026-04-07T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00375","published_at":"2026-04-04T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00358","published_at":"2026-04-11T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00535","published_at":"2026-04-29T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00506","published_at":"2026-04-18T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00537","published_at":"2026-04-21T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00533","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25934"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/go-git/go-git","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-git/go-git"},{"reference_url":"https://github.com/go-git/go-git/releases/tag/v5.16.5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:23:04Z/"}],"url":"https://github.com/go-git/go-git/releases/tag/v5.16.5"},{"reference_url":"https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:23:04Z/"}],"url":"https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25934","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25934"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127844","reference_id":"1127844","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127844"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438332","reference_id":"2438332","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438332"},{"reference_url":"https://usn.ubuntu.com/8088-1/","reference_id":"USN-8088-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8088-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994829?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1"}],"aliases":["CVE-2026-25934","GHSA-37cx-329c-33x3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kqrm-h42a-13ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/24798?format=json","vulnerability_id":"VCID-m4t6-vddc-3bfw","summary":"go-git: Maliciously crafted idx file can cause asymmetric memory consumption\n### Impact\n\nA vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.\n\nExploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. \n\n### Patches\n\nUsers should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Credit\n\nThe go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34165.json","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34165.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34165","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02244","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02234","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02252","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02254","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02266","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02284","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02262","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02094","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.0226","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02158","published_at":"2026-04-04T12:55:00Z"},{"value":"5e-05","scoring_system":"epss","scoring_elements":"0.00278","published_at":"2026-04-29T12:55:00Z"},{"value":"5e-05","scoring_system":"epss","scoring_elements":"0.00285","published_at":"2026-04-24T12:55:00Z"},{"value":"5e-05","scoring_system":"epss","scoring_elements":"0.00283","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34165"},{"reference_url":"https://github.com/go-git/go-git","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-git/go-git"},{"reference_url":"https://github.com/go-git/go-git/releases/tag/v5.17.1","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:09:59Z/"}],"url":"https://github.com/go-git/go-git/releases/tag/v5.17.1"},{"reference_url":"https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:09:59Z/"}],"url":"https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34165","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34165"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584","reference_id":"1132584","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132584"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453379","reference_id":"2453379","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453379"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994829?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.16.2-1"}],"aliases":["CVE-2026-34165","GHSA-jhf3-xxhw-2wpp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m4t6-vddc-3bfw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13991?format=json","vulnerability_id":"VCID-rka6-epua-h7gz","summary":"Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients\n### Impact\nA path traversal vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.\n\nApplications are only affected if they are using the [ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS), which is the default when using \"Plain\" versions of Open and Clone funcs (e.g. PlainClone). Applications using [BoundOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by this issue.\nThis is a `go-git` implementation issue and does not affect the upstream `git` cli.\n\n### Patches\nUsers running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability.\n\n### Workarounds\nIn cases where a bump to the latest version of `go-git` is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers.\n\n## Credit\nThanks to Ionut Lalu for responsibly disclosing this vulnerability to us.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49569.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49569.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49569","reference_id":"","reference_type":"","scores":[{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88516","published_at":"2026-04-29T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88482","published_at":"2026-04-09T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88492","published_at":"2026-04-11T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88485","published_at":"2026-04-12T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88484","published_at":"2026-04-13T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88499","published_at":"2026-04-16T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88496","published_at":"2026-04-18T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88494","published_at":"2026-04-21T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88511","published_at":"2026-04-24T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88453","published_at":"2026-04-04T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88457","published_at":"2026-04-07T12:55:00Z"},{"value":"0.04027","scoring_system":"epss","scoring_elements":"0.88476","published_at":"2026-04-08T12:55:00Z"},{"value":"0.04134","scoring_system":"epss","scoring_elements":"0.88604","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49569"},{"reference_url":"https://github.com/go-git/go-git","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-git/go-git"},{"reference_url":"https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-18T19:36:00Z/"}],"url":"https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49569","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49569"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060701","reference_id":"1060701","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060701"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258143","reference_id":"2258143","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2258143"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7197","reference_id":"RHSA-2023:7197","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7197"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7198","reference_id":"RHSA-2023:7198","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7198"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0040","reference_id":"RHSA-2024:0040","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0040"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0298","reference_id":"RHSA-2024:0298","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0298"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0641","reference_id":"RHSA-2024:0641","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0641"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0642","reference_id":"RHSA-2024:0642","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0642"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0692","reference_id":"RHSA-2024:0692","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0692"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0735","reference_id":"RHSA-2024:0735","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0735"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0740","reference_id":"RHSA-2024:0740","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0740"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0832","reference_id":"RHSA-2024:0832","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0832"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0833","reference_id":"RHSA-2024:0833","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0833"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0843","reference_id":"RHSA-2024:0843","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0843"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0845","reference_id":"RHSA-2024:0845","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0845"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0880","reference_id":"RHSA-2024:0880","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0880"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0989","reference_id":"RHSA-2024:0989","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0989"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1052","reference_id":"RHSA-2024:1052","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1052"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1549","reference_id":"RHSA-2024:1549","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1549"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1557","reference_id":"RHSA-2024:1557","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1557"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1896","reference_id":"RHSA-2024:1896","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1896"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2633","reference_id":"RHSA-2024:2633","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2633"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3925","reference_id":"RHSA-2024:3925","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3925"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4118","reference_id":"RHSA-2024:4118","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4118"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:5013","reference_id":"RHSA-2024:5013","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:5013"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6221","reference_id":"RHSA-2024:6221","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6221"},{"reference_url":"https://usn.ubuntu.com/8088-1/","reference_id":"USN-8088-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8088-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994828?format=json","purl":"pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-62r9-cvp9-tfbg"},{"vulnerability":"VCID-kqrm-h42a-13ce"},{"vulnerability":"VCID-m4t6-vddc-3bfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1"}],"aliases":["CVE-2023-49569","GHSA-449p-3h89-pw88"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rka6-epua-h7gz"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3"}