Fetching vulnerabilities from the database... Checking the code against the vulnerabilities... The package pattern matched the following 10 root packages: linux-auth/internal/db linux-auth/internal/utils linux-auth/cmd/add_user linux-auth/internal/auth linux-auth/internal/config linux-auth/internal/ui linux-auth/cmd/authapp linux-auth/cmd/init_users linux-auth/golang-fuzz linux-auth/myfuzz Govulncheck scanned the following 5 modules and the go1.24.4 standard library: linux-auth github.com/mattn/go-sqlite3@v1.14.33 github.com/pelletier/go-toml/v2@v2.2.4 golang.org/x/sys@v0.39.0 golang.org/x/term@v0.38.0 === Symbol Results === Vulnerability #1: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.24.4 Fixed in: net/url@go1.24.12 Example traces found: #1: internal/db/sqlite.go:32:26: db.Init calls sql.Open, which eventually calls url.ParseQuery Vulnerability #2: GO-2025-3849 Incorrect results returned from Rows.Scan in database/sql More info: https://pkg.go.dev/vuln/GO-2025-3849 Standard library Found in: database/sql@go1.24.4 Fixed in: database/sql@go1.24.6 Example traces found: #1: internal/db/sqlite.go:89:17: db.GetUser calls sql.Row.Scan === Package Results === Vulnerability #1: GO-2026-4864 TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix More info: https://pkg.go.dev/vuln/GO-2026-4864 Standard library Found in: internal/syscall/unix@go1.24.4 Fixed in: internal/syscall/unix@go1.25.9 Platforms: linux Vulnerability #2: GO-2026-4602 FileInfo can escape from a Root in os More info: https://pkg.go.dev/vuln/GO-2026-4602 Standard library Found in: os@go1.24.4 Fixed in: os@go1.25.8 Vulnerability #3: GO-2026-4601 Incorrect parsing of IPv6 host literals in net/url More info: https://pkg.go.dev/vuln/GO-2026-4601 Standard library Found in: net/url@go1.24.4 Fixed in: net/url@go1.25.8 Vulnerability #4: GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url More info: https://pkg.go.dev/vuln/GO-2025-4010 Standard library Found in: net/url@go1.24.4 Fixed in: net/url@go1.24.8 === Module Results === Vulnerability #1: GO-2026-4986 Quadratic string concatentation in consumeComment in net/mail More info: https://pkg.go.dev/vuln/GO-2026-4986 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #2: GO-2026-4982 Bypass of meta content URL escaping causes XSS in html/template More info: https://pkg.go.dev/vuln/GO-2026-4982 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #3: GO-2026-4981 Crash when handling long CNAME response in net More info: https://pkg.go.dev/vuln/GO-2026-4981 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #4: GO-2026-4980 Escaper bypass leads to XSS in html/template More info: https://pkg.go.dev/vuln/GO-2026-4980 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #5: GO-2026-4977 Quadratic string concatenation in consumePhrase in net/mail More info: https://pkg.go.dev/vuln/GO-2026-4977 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #6: GO-2026-4976 ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil More info: https://pkg.go.dev/vuln/GO-2026-4976 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #7: GO-2026-4971 Panic in Dial and LookupPort when handling NUL byte on Windows in net More info: https://pkg.go.dev/vuln/GO-2026-4971 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #8: GO-2026-4947 Unexpected work during chain building in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2026-4947 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.9 Vulnerability #9: GO-2026-4946 Inefficient policy validation in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2026-4946 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.9 Vulnerability #10: GO-2026-4918 Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2026-4918 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.10 Vulnerability #11: GO-2026-4870 Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4870 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.9 Vulnerability #12: GO-2026-4869 Unbounded allocation for old GNU sparse in archive/tar More info: https://pkg.go.dev/vuln/GO-2026-4869 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.9 Vulnerability #13: GO-2026-4865 JsBraceDepth Context Tracking Bugs (XSS) in html/template More info: https://pkg.go.dev/vuln/GO-2026-4865 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.9 Vulnerability #14: GO-2026-4603 URLs in meta content attribute actions are not escaped in html/template More info: https://pkg.go.dev/vuln/GO-2026-4603 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.25.8 Vulnerability #15: GO-2026-4342 Excessive CPU consumption when building archive index in archive/zip More info: https://pkg.go.dev/vuln/GO-2026-4342 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.12 Vulnerability #16: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.12 Vulnerability #17: GO-2026-4337 Unexpected session resumption in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4337 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.13 Vulnerability #18: GO-2025-4175 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4175 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.11 Vulnerability #19: GO-2025-4155 Excessive resource consumption when printing error string for host certificate validation in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4155 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.11 Vulnerability #20: GO-2025-4015 Excessive CPU consumption in Reader.ReadResponse in net/textproto More info: https://pkg.go.dev/vuln/GO-2025-4015 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #21: GO-2025-4014 Unbounded allocation when parsing GNU sparse map in archive/tar More info: https://pkg.go.dev/vuln/GO-2025-4014 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #22: GO-2025-4013 Panic when validating certificates with DSA public keys in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4013 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #23: GO-2025-4012 Lack of limit when parsing cookies can cause memory exhaustion in net/http More info: https://pkg.go.dev/vuln/GO-2025-4012 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #24: GO-2025-4011 Parsing DER payload can cause memory exhaustion in encoding/asn1 More info: https://pkg.go.dev/vuln/GO-2025-4011 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #25: GO-2025-4009 Quadratic complexity when parsing some invalid inputs in encoding/pem More info: https://pkg.go.dev/vuln/GO-2025-4009 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #26: GO-2025-4008 ALPN negotiation error contains attacker controlled information in crypto/tls More info: https://pkg.go.dev/vuln/GO-2025-4008 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #27: GO-2025-4007 Quadratic complexity when checking name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4007 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.9 Vulnerability #28: GO-2025-4006 Excessive CPU consumption in ParseAddress in net/mail More info: https://pkg.go.dev/vuln/GO-2025-4006 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.8 Vulnerability #29: GO-2025-3956 Unexpected paths returned from LookPath in os/exec More info: https://pkg.go.dev/vuln/GO-2025-3956 Standard library Found in: stdlib@go1.24.4 Fixed in: stdlib@go1.24.6 Your code is affected by 2 vulnerabilities from the Go standard library. This scan also found 4 vulnerabilities in packages you import and 29 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities.