Skip to content

chore(docker)(deps): bump alpine from 3.19 to 3.24#69

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/alpine-3.24
Open

chore(docker)(deps): bump alpine from 3.19 to 3.24#69
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/alpine-3.24

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown

Bumps alpine from 3.19 to 3.24.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(docker)(deps): bump alpine from 3.19 to 3.24
cc5e327 
Bumps alpine from 3.19 to 3.24.

---
updated-dependencies:
- dependency-name: alpine
  dependency-version: '3.24'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 15, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: docker, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot mentioned this pull request Jun 15, 2026
Closed
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

NPM Vulnerability Scan Results - e2e

Severity Count
Critical 0
High 1
Moderate 4
Low 0
Total 5
Click to see details 
# npm audit report

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

qs  6.7.0 - 6.15.1
Severity: moderate
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
node_modules/qs
  body-parser  1.20.3 - 1.20.4 || 2.0.0-beta.1 - 2.0.2
  Depends on vulnerable versions of qs
  node_modules/body-parser
  express  4.21.0 - 4.22.1 || 5.0.0-alpha.1 - 5.0.1
  Depends on vulnerable versions of qs
  node_modules/express

ws  8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - https://github.com/advisories/GHSA-58qx-3vcg-4xpx
fix available via `npm audit fix`
node_modules/ws

5 vulnerabilities (4 moderate, 1 high)

To address all issues, run:
  npm audit fix

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

NPM Vulnerability Scan Results - web

Severity Count
Critical 3
High 7
Moderate 8
Low 0
Total 18
Click to see details 
# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
node_modules/brace-expansion

esbuild  0.17.0 - 0.28.0
Severity: high
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY - https://github.com/advisories/GHSA-gv7w-rqvm-qjhr
fix available via `npm audit fix`
node_modules/esbuild
  vite  4.2.0-beta.0 - 8.0.3
  Depends on vulnerable versions of esbuild
  node_modules/vite

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

i18next-http-backend  <3.0.5
Severity: moderate
 i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - https://github.com/advisories/GHSA-q89c-q3h5-w34g
fix available via `npm audit fix`
node_modules/i18next-http-backend

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash-es

minimatch  <=3.1.3 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/minimatch

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/rollup-plugin-visualizer/node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
node_modules/vitest/node_modules/picomatch

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss

protocol-buffers-schema  <3.6.1
Severity: moderate
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution - https://github.com/advisories/GHSA-j452-xhg8-qg39
fix available via `npm audit fix`
node_modules/protocol-buffers-schema

react-router  6.7.0 - 6.30.3
Severity: moderate
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation - https://github.com/advisories/GHSA-2j2x-hqr9-3h42
fix available via `npm audit fix`
node_modules/react-router
  react-router-dom  6.6.3-pre.0 - 6.30.3
  Depends on vulnerable versions of react-router
  node_modules/react-router-dom

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup


vitest  4.0.0-beta.1 - 4.1.0-beta.6
Severity: critical
Depends on vulnerable versions of @vitest/ui
When Vitest UI server is listening, arbitrary file can be read and executed - https://github.com/advisories/GHSA-5xrq-8626-4rwp
fix available via `npm audit fix`
node_modules/vitest
  @vitest/coverage-v8  4.0.0-beta.1 - 4.1.0-beta.6
  Depends on vulnerable versions of vitest
  node_modules/@vitest/coverage-v8
  @vitest/ui  4.0.0-beta.1 - 4.1.0-beta.6
  Depends on vulnerable versions of vitest
  node_modules/@vitest/ui

ws  8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - https://github.com/advisories/GHSA-58qx-3vcg-4xpx
fix available via `npm audit fix`
node_modules/ws

18 vulnerabilities (8 moderate, 7 high, 3 critical)

To address all issues, run:
  npm audit fix

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity Count
Critical 0
High 2
Medium 8
Low 20
Total 30
Click to see details 

Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.24.0) │ alpine │       30        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.71/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.24.0)
======================================
Total: 30 (LOW: 20, MEDIUM: 8, HIGH: 2, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2026-45447 │ HIGH     │ fixed  │ 3.5.6-r0          │ 3.5.7-r0      │ openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()       │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-45447                   │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34182 │ MEDIUM   │        │                   │               │ openssl: CMS AuthEnvelopedData Processing May Accept Forged  │
│            │                │          │        │                   │               │ Messages                                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34182                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34183 │          │        │                   │               │ openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE  │
│            │                │          │        │                   │               │ Handler                                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34183                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42764 │          │        │                   │               │ openssl: NULL pointer dereference in QUIC server initial     │
│            │                │          │        │                   │               │ packet handling                                              │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42764                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-45445 │          │        │                   │               │ openssl: AES-OCB IV Ignored on EVP_Cipher() Path             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-45445                   │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34180 │ LOW      │        │                   │               │ openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding    │
│            │                │          │        │                   │               │ can lead to denial...                                        │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34180                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34181 │          │        │                   │               │ openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short   │
│            │                │          │        │                   │               │ HMAC Keys                                                    │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34181                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42766 │          │        │                   │               │ openssl: Possible NULL Dereference in Password-Based CMS     │
│            │                │          │        │                   │               │ Decryption                                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42766                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42767 │          │        │                   │               │ openssl: NULL Pointer Dereference in CRMF EncryptedValue     │
│            │                │          │        │                   │               │ Decryption                                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42767                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42768 │          │        │                   │               │ openssl: Multi-RecipientInfo Bleichenbacher Oracle in        │
│            │                │          │        │                   │               │ CMS_decrypt() and PKCS7_decrypt()                            │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42768                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42769 │          │        │                   │               │ openssl: Trust-Anchor Substitution via cert/issuer Typo in   │
│            │                │          │        │                   │               │ CMP rootCaKeyUpdate                                          │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42769                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42770 │          │        │                   │               │ openssl: FFC-DH Peer Validation Uses Attacker-Supplied q     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42770                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-45446 │          │        │                   │               │ openssl: Incorrect Tag Processing for Empty Messages in      │
│            │                │          │        │                   │               │ AES-GCM-SIV and AES-SIV modes...                             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-45446                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-7383  │          │        │                   │               │ openssl: OpenSSL: Heap buffer overflow due to signed integer │
│            │                │          │        │                   │               │ overflow in Unicode...                                       │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-7383                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-9076  │          │        │                   │               │ openssl: OpenSSL: Denial of Service due to heap              │
│            │                │          │        │                   │               │ out-of-bounds read in CMS...                                 │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-9076                    │
├────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2026-45447 │ HIGH     │        │                   │               │ openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()       │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-45447                   │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34182 │ MEDIUM   │        │                   │               │ openssl: CMS AuthEnvelopedData Processing May Accept Forged  │
│            │                │          │        │                   │               │ Messages                                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34182                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34183 │          │        │                   │               │ openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE  │
│            │                │          │        │                   │               │ Handler                                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34183                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42764 │          │        │                   │               │ openssl: NULL pointer dereference in QUIC server initial     │
│            │                │          │        │                   │               │ packet handling                                              │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42764                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-45445 │          │        │                   │               │ openssl: AES-OCB IV Ignored on EVP_Cipher() Path             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-45445                   │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34180 │ LOW      │        │                   │               │ openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding    │
│            │                │          │        │                   │               │ can lead to denial...                                        │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34180                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-34181 │          │        │                   │               │ openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short   │
│            │                │          │        │                   │               │ HMAC Keys                                                    │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-34181                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42766 │          │        │                   │               │ openssl: Possible NULL Dereference in Password-Based CMS     │
│            │                │          │        │                   │               │ Decryption                                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42766                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42767 │          │        │                   │               │ openssl: NULL Pointer Dereference in CRMF EncryptedValue     │
│            │                │          │        │                   │               │ Decryption                                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42767                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42768 │          │        │                   │               │ openssl: Multi-RecipientInfo Bleichenbacher Oracle in        │
│            │                │          │        │                   │               │ CMS_decrypt() and PKCS7_decrypt()                            │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42768                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42769 │          │        │                   │               │ openssl: Trust-Anchor Substitution via cert/issuer Typo in   │
│            │                │          │        │                   │               │ CMP rootCaKeyUpdate                                          │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42769                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-42770 │          │        │                   │               │ openssl: FFC-DH Peer Validation Uses Attacker-Supplied q     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42770                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-45446 │          │        │                   │               │ openssl: Incorrect Tag Processing for Empty Messages in      │
│            │                │          │        │                   │               │ AES-GCM-SIV and AES-SIV modes...                             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-45446                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-7383  │          │        │                   │               │ openssl: OpenSSL: Heap buffer overflow due to signed integer │
│            │                │          │        │                   │               │ overflow in Unicode...                                       │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-7383                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2026-9076  │          │        │                   │               │ openssl: OpenSSL: Denial of Service due to heap              │
│            │                │          │        │                   │               │ out-of-bounds read in CMS...                                 │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-9076                    │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity Count
Critical 1
High 15
Medium 8
Low 1
Total 25
Click to see details 

Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.14) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │       25        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.71/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 25 (LOW: 1, MEDIUM: 8, HIGH: 15, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel                                     │ CVE-2026-29181 │ HIGH     │ fixed  │ v1.38.0           │ 1.41.0          │ github.com/open-telemetry/opentelemetry-go:                  │
│                                                              │                │          │        │                   │                 │ OpenTelemetry-Go: Denial of Service via crafted multi-value  │
│                                                              │                │          │        │                   │                 │ baggage headers                                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-29181                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace- │ CVE-2026-39882 │ MEDIUM   │        │ v1.24.0           │ 1.43.0          │ OpenTelemetry-Go is the Go implementation of OpenTelemetry.  │
│ http                                                         │                │          │        │                   │                 │ Prior to 1 ...                                               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39882                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk                                 │ CVE-2026-24051 │ HIGH     │        │ v1.38.0           │ 1.40.0          │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution  │
│                                                              │                │          │        │                   │                 │ via PATH Hijacking                                           │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-24051                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39883 │          │        │                   │ 1.43.0          │ github.com/open-telemetry/opentelemetry-go:                  │
│                                                              │                │          │        │                   │                 │ OpenTelemetry-Go: Arbitrary code execution via PATH          │
│                                                              │                │          │        │                   │                 │ hijacking on BSD/Solaris                                     │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39883                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3          │ google.golang.org/grpc/grpc-go:                              │
│                                                              │                │          │        │                   │                 │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass  │
│                                                              │                │          │        │                   │                 │ due to improper HTTP/2 path validation                       │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33186                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1  │ net/url: Incorrect parsing of IPv6 host literals in net/url  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-25679                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32280 │          │        │                   │ 1.25.9, 1.26.2  │ crypto/x509: crypto/tls: golang: Go: Denial of Service       │
│                                                              │                │          │        │                   │                 │ vulnerability in certificate chain building...               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32280                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32281 │          │        │                   │                 │ crypto/x509: golang: Go crypto/x509: Denial of Service via   │
│                                                              │                │          │        │                   │                 │ inefficient certificate chain validation...                  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32281                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32283 │          │        │                   │                 │ crypto/tls: golang: Go crypto/tls: Denial of Service via     │
│                                                              │                │          │        │                   │                 │ multiple TLS 1.3 key...                                      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32283                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-33811 │          │        │                   │ 1.25.10, 1.26.3 │ net: golang: Go net package: Denial of Service via long      │
│                                                              │                │          │        │                   │                 │ CNAME response...                                            │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33811                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-33814 │          │        │                   │                 │ When processing HTTP/2 SETTINGS frames, transport will enter │
│                                                              │                │          │        │                   │                 │ an infini ...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33814                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39820 │          │        │                   │                 │ Well-crafted inputs reaching ParseAddress, ParseAddressList, │
│                                                              │                │          │        │                   │                 │ and Parse ...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39820                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39823 │          │        │                   │                 │ CVE-2026-27142 fixed a vulnerability in which URLs were not  │
│                                                              │                │          │        │                   │                 │ correctly ......                                             │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39823                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39825 │          │        │                   │                 │ ReverseProxy can forward queries containing parameters not   │
│                                                              │                │          │        │                   │                 │ visible to ...                                               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39825                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39836 │          │        │                   │                 │ ELSA-2026-22112: go-toolset:ol8 security update (IMPORTANT)  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39836                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-42499 │          │        │                   │                 │ Pathological inputs could cause DoS through consumePhrase    │
│                                                              │                │          │        │                   │                 │ when parsing ...                                             │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-42499                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-42504 │          │        │                   │ 1.25.11, 1.26.4 │ Decoding a maliciously-crafted MIME header containing many   │
│                                                              │                │          │        │                   │                 │ invalid enc ...                                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-42504                   │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27142 │ MEDIUM   │        │                   │ 1.25.8, 1.26.1  │ html/template: URLs in meta content attribute actions are    │
│                                                              │                │          │        │                   │                 │ not escaped in html/template...                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-27142                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27145 │          │        │                   │ 1.25.11, 1.26.4 │ *x509.Certificate).VerifyHostname previously called          │
│                                                              │                │          │        │                   │                 │ matchHostnames in ...                                        │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-27145                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32282 │          │        │                   │ 1.25.9, 1.26.2  │ golang: internal/syscall/unix: Root.Chmod can follow         │
│                                                              │                │          │        │                   │                 │ symlinks out of the root                                     │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32282                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32288 │          │        │                   │                 │ archive/tar: golang: Go's archive/tar package: Denial of     │
│                                                              │                │          │        │                   │                 │ Service via maliciously-crafted archive                      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32288                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32289 │          │        │                   │                 │ html/template: golang: html/template: Cross-Site Scripting   │
│                                                              │                │          │        │                   │                 │ (XSS) via improper context and brace depth...                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32289                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39826 │          │        │                   │ 1.25.10, 1.26.3 │ html/template: golang: html/template: Cross-site scripting   │
│                                                              │                │          │        │                   │                 │ due to incorrect script tag escaping                         │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39826                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-42507 │          │        │                   │ 1.25.11, 1.26.4 │ When returning errors, functions in the net/textproto        │
│                                                              │                │          │        │                   │                 │ package would in ...                                         │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-42507                   │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27139 │ LOW      │        │                   │ 1.25.8, 1.26.1  │ os: FileInfo can escape from a Root in golang os module      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-27139                   │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants