Go Vulnerability Database

• CVE-2026-32280
• Affects: crypto/x509
• Published: Apr 07, 2026

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

• CVE-2026-32281
• Affects: crypto/x509
• Published: Apr 07, 2026

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

• CVE-2025-68153, GHSA-245v-p8fj-vwm2
• Affects: github.com/juju/juju
• Published: Apr 06, 2026
• Unreviewed

Juju has a resource poisoning vulnerability in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju from v2.9 before v2.9.56, from v3.6 before v3.6.19.

• CVE-2026-33817, GHSA-6jwv-w5xf-7j27
• Affects: go.etcd.io/bbolt
• Published: Apr 06, 2026
• Modified: Apr 08, 2026
• Withdrawn: Apr 08, 2026

(withdrawn)

• CVE-2026-34940, GHSA-324q-cwx9-7crr
• Affects: github.com/kubeai-project/kubeai
• Published: Apr 06, 2026
• Unreviewed

KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai