Skip to content

fix(security): remediate CVE vulnerabilities#122

Merged
phisco merged 1 commit into
release-0.7from
fix/cve-remediation-release-0.7-20260615-214700
Jun 16, 2026
Merged

fix(security): remediate CVE vulnerabilities#122
phisco merged 1 commit into
release-0.7from
fix/cve-remediation-release-0.7-20260615-214700

Conversation

@ulucinar

Copy link
Copy Markdown
Collaborator

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
GO-2026-5026 Critical golang.org/x/net v0.55.0
CVE-2026-42504 High stdlib go1.26.4
GO-2026-5038 High stdlib go1.26.4
GO-2026-4918 High golang.org/x/net v0.55.0
CVE-2026-42507 Medium stdlib go1.26.4
GO-2026-5039 Medium stdlib go1.26.4
GO-2026-5028 Medium golang.org/x/net v0.55.0
GO-2026-5025 Medium golang.org/x/net v0.55.0
GO-2026-5027 Medium golang.org/x/net v0.55.0
GO-2026-5029 Medium golang.org/x/net v0.55.0
GO-2026-5030 Medium golang.org/x/net v0.55.0
CVE-2026-27145 Medium stdlib go1.26.4
GO-2026-5037 Medium stdlib go1.26.4
GO-2026-5024 Low golang.org/x/sys v0.45.0

Changes Made

  • Updated Go version from 1.26.3 to 1.26.4 in go.mod
  • Updated golang.org/x/net from v0.49.0 to v0.55.0
  • Updated golang.org/x/sys from v0.40.0 to v0.45.0
  • Ran go mod tidy to update go.sum
  • Updated GO_VERSION in .github/workflows/ci.yml to 1.26.4

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

- Update Go version to 1.26.4 (fixes CVE-2026-42504, GO-2026-5038, CVE-2026-42507, GO-2026-5039, CVE-2026-27145, GO-2026-5037)
- Update golang.org/x/net to v0.55.0 (fixes GO-2026-5026, GO-2026-4918, GO-2026-5028, GO-2026-5025, GO-2026-5027, GO-2026-5029, GO-2026-5030)
- Update golang.org/x/sys to v0.45.0 (fixes GO-2026-5024)
- Update CI workflow Go version to 1.26.4

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@ulucinar
ulucinar requested a review from phisco as a code owner June 15, 2026 21:47

@sergenyalcin sergenyalcin left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ulucinar LGTM!

@phisco
phisco merged commit 5589092 into release-0.7 Jun 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants