data/reports: add 15 reports

  - data/reports/GO-2025-3916.yaml
  - data/reports/GO-2025-3917.yaml
  - data/reports/GO-2025-3918.yaml
  - data/reports/GO-2025-3919.yaml
  - data/reports/GO-2025-3920.yaml
  - data/reports/GO-2025-3921.yaml
  - data/reports/GO-2025-3923.yaml
  - data/reports/GO-2025-3924.yaml
  - data/reports/GO-2025-3925.yaml
  - data/reports/GO-2025-3927.yaml
  - data/reports/GO-2025-3930.yaml
  - data/reports/GO-2025-3934.yaml
  - data/reports/GO-2025-3935.yaml
  - data/reports/GO-2025-3936.yaml
  - data/reports/GO-2025-3937.yaml

Fixes #3916
Fixes #3917
Fixes #3918
Fixes #3919
Fixes #3920
Fixes #3921
Fixes #3923
Fixes #3924
Fixes #3925
Fixes #3927
Fixes #3930
Fixes #3934
Fixes #3935
Fixes #3936
Fixes #3937

Change-Id: I204c0610ec5d841896550aac3ada1f234602f774
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/701335
Reviewed-by: Markus Kusano <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Ethan Lee <[email protected]>

Author: ethanalee-work

data/osv/GO-2025-3916.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3916",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-51667",
+    "GHSA-f2m2-4q6r-cwc4"
+  ],
+  "summary": "simple-admin-core SQL Injection vulnerability in github.com/suyuan32/simple-admin-core",
+  "details": "simple-admin-core SQL Injection vulnerability in github.com/suyuan32/simple-admin-core",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/suyuan32/simple-admin-core",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.2.0"
+            },
+            {
+              "fixed": "1.6.8"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-f2m2-4q6r-cwc4"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51667"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/suyuan32/simple-admin-core/commit/f1e2c4f3c55cd5953ad7f7b0706df48adaaeb18a"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/suyuan32/simple-admin-core/issues/333"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/66Giraffe66/fc258f7fcc65a6a1a1a01e217977b92d"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3916",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3917.json

@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3917",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-53884",
+    "GHSA-8ff6-pc43-jwv3"
+  ],
+  "summary": "NeuVector has an insecure password storage vulnerable to rainbow attack in github.com/neuvector/neuvector",
+  "details": "NeuVector has an insecure password storage vulnerable to rainbow attack in github.com/neuvector/neuvector.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/neuvector/neuvector from v5.0.0 before v5.4.6.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/neuvector/neuvector",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "5.0.0"
+              },
+              {
+                "fixed": "5.4.6"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3917",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3918.json

@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3918",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-8077",
+    "GHSA-8pxw-9c75-6w56"
+  ],
+  "summary": "NeuVector admin account has insecure default password in github.com/neuvector/neuvector",
+  "details": "NeuVector admin account has insecure default password in github.com/neuvector/neuvector.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/neuvector/neuvector from v5.0.0 before v5.4.6.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/neuvector/neuvector",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "5.0.0"
+              },
+              {
+                "fixed": "5.4.6"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3918",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3919.json

@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3919",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54467",
+    "GHSA-w54x-xfxg-4gxq"
+  ],
+  "summary": "NeuVector process with sensitive arguments lead to leakage in github.com/neuvector/neuvector",
+  "details": "NeuVector process with sensitive arguments lead to leakage in github.com/neuvector/neuvector.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/neuvector/neuvector from v5.0.0 before v5.4.6.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/neuvector/neuvector",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "5.0.0"
+              },
+              {
+                "fixed": "5.4.6"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3919",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3920.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3920",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-vxg3-w9rv-rhr2"
+  ],
+  "summary": "Contrast leaks workload secrets to logs on INFO level in github.com/edgelesssys/contrast",
+  "details": "Contrast leaks workload secrets to logs on INFO level in github.com/edgelesssys/contrast",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/edgelesssys/contrast",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "1.9.0"
+            },
+            {
+              "fixed": "1.12.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-vxg3-w9rv-rhr2"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/edgelesssys/contrast/pull/1739"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3920",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-3921.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3921",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-3rw9-wmc8-8948"
+  ],
+  "summary": "Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder",
+  "details": "Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/coder/coder",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/coder/coder/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.23.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/coder/coder/security/advisories/GHSA-3rw9-wmc8-8948"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/1a4160803589034ce1518e24a78f232c8d08f996"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3921",
+    "review_status": "UNREVIEWED"
+  }
+}