data/reports: add 17 reports

  - data/reports/GO-2025-3938.yaml
  - data/reports/GO-2025-3939.yaml
  - data/reports/GO-2025-3941.yaml
  - data/reports/GO-2025-3942.yaml
  - data/reports/GO-2025-3943.yaml
  - data/reports/GO-2025-3944.yaml
  - data/reports/GO-2025-3945.yaml
  - data/reports/GO-2025-3949.yaml
  - data/reports/GO-2025-3950.yaml
  - data/reports/GO-2025-3951.yaml
  - data/reports/GO-2025-3952.yaml
  - data/reports/GO-2025-3953.yaml
  - data/reports/GO-2025-3954.yaml
  - data/reports/GO-2025-3958.yaml
  - data/reports/GO-2025-3959.yaml
  - data/reports/GO-2025-3960.yaml
  - data/reports/GO-2025-3961.yaml

Fixes #3938
Fixes #3939
Fixes #3941
Fixes #3942
Fixes #3943
Fixes #3944
Fixes #3945
Fixes #3949
Fixes #3950
Fixes #3951
Fixes #3952
Fixes #3953
Fixes #3954
Fixes #3958
Fixes #3959
Fixes #3960
Fixes #3961

Change-Id: Ibf37c5e21e25c0b277506b7a3f78f790bb3080b7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/704637
Reviewed-by: Markus Kusano <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: thatnealpatel

data/osv/GO-2025-3938.json

@@ -0,0 +1,95 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3938",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-58437",
+    "GHSA-j6xf-jwrj-v5qp"
+  ],
+  "summary": "Coder vulnerable to privilege escalation could lead to a cross workspace compromise in github.com/coder/coder",
+  "details": "Coder vulnerable to privilege escalation could lead to a cross workspace compromise in github.com/coder/coder",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/coder/coder",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/coder/coder/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "2.22.0"
+            },
+            {
+              "fixed": "2.24.4"
+            },
+            {
+              "introduced": "2.25.0"
+            },
+            {
+              "fixed": "2.25.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/coder/coder/security/advisories/GHSA-j6xf-jwrj-v5qp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58437"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/06cbb2890f453cd522bb2158a6549afa3419c276"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/20d67d7d7191a4fd5d36a61c6fc1e23ab59befc0"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/ec660907faa0b0eae20fa2ba58ce1733f5f4b35a"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/pull/19667"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/pull/19668"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/pull/19669"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3938",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3939.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3939",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-7445",
+    "GHSA-rcw7-pqfp-735x"
+  ],
+  "summary": "secrets-store-sync-controller discloses service account tokens in logs in sigs.k8s.io/secrets-store-sync-controller",
+  "details": "secrets-store-sync-controller discloses service account tokens in logs in sigs.k8s.io/secrets-store-sync-controller",
+  "affected": [
+    {
+      "package": {
+        "name": "sigs.k8s.io/secrets-store-sync-controller",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/kubernetes-sigs/secrets-store-sync-controller/security/advisories/GHSA-rcw7-pqfp-735x"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7445"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kubernetes/kubernetes/issues/133897"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/kubernetes-security-announce/c/NP7cQvQ1aGA"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3939",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3941.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3941",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-58450",
+    "GHSA-p46v-f2x8-qp98"
+  ],
+  "summary": "pREST has a Systemic SQL Injection Vulnerability in github.com/prest/prest",
+  "details": "pREST has a Systemic SQL Injection Vulnerability in github.com/prest/prest",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/prest/prest",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/prest/prest/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/prest/prest/security/advisories/GHSA-p46v-f2x8-qp98"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58450"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/prest/prest/commit/47d02b87842900f77d76fc694d9aa7e983b0711c"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3941",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3942.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3942",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-58063",
+    "GHSA-93mf-426m-g6x9"
+  ],
+  "summary": "CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion in github.com/coredns/coredns",
+  "details": "CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion in github.com/coredns/coredns",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/coredns/coredns",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.2.0"
+            },
+            {
+              "fixed": "1.12.4"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58063"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3942",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3943.json

@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3943",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-58430",
+    "GHSA-rf24-wg77-gq7w"
+  ],
+  "summary": "listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover in github.com/knadh/listmonk",
+  "details": "listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover in github.com/knadh/listmonk",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/knadh/listmonk",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-rf24-wg77-gq7w"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58430"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3943",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3944.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3944",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54123",
+    "GHSA-r4h8-hfp2-ggmf"
+  ],
+  "summary": "Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation in github.com/SpectoLabs/hoverfly",
+  "details": "Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation in github.com/SpectoLabs/hoverfly",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/SpectoLabs/hoverfly",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54123"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/SpectoLabs/hoverfly/pull/1203"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3944",
+    "review_status": "UNREVIEWED"
+  }
+}