github.com/rhysd/go-github-selfupdate-v1.2.3: 13 vulnerabilities (highest severity is: 10.0)

[mend-for-github-com]

Vulnerable Library - github.com/rhysd/go-github-selfupdate-v1.2.3

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (github.com/rhysd/go-github-selfupdate-v1.2.3 version)	Remediation Possible**	Reachability
CVE-2026-46595	Critical	10.0	Not Defined	0.04%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-42508	Critical	9.1	Not Defined	0.03%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39834	Critical	9.1	Not Defined	0.042%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39833	Critical	9.1	Not Defined	0.033%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39832	Critical	9.1	Not Defined	0.03%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39831	Critical	9.1	Not Defined	0.022%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39830	Critical	9.1	Not Defined	0.042%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-46597	High	7.5	Not Defined	0.042%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39829	High	7.5	Not Defined	0.074%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39827	Medium	6.5	Not Defined	0.041%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39828	Medium	6.3	Not Defined	0.03%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-46598	Medium	5.3	Not Defined	0.039%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌
CVE-2026-39835	Medium	5.3	Not Defined	0.019%	golang.org/x/crypto-v0.47.0	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-46595

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Publish Date: 2026-05-22

URL: CVE-2026-46595

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.04%

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

CVE-2026-42508

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @⁠revoked.

Publish Date: 2026-05-22

URL: CVE-2026-42508

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.03%

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

CVE-2026-39834

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Publish Date: 2026-05-22

URL: CVE-2026-39834

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.042%

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

CVE-2026-39833

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Publish Date: 2026-05-22

URL: CVE-2026-39833

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.033%

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5005

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

CVE-2026-39832

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Publish Date: 2026-05-22

URL: CVE-2026-39832

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.03%

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

CVE-2026-39831

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Publish Date: 2026-05-22

URL: CVE-2026-39831

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.022%

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5019

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

CVE-2026-39830

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Publish Date: 2026-05-22

URL: CVE-2026-39830

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.042%

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5017

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

CVE-2026-46597

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Publish Date: 2026-05-22

URL: CVE-2026-46597

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.042%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5013

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

CVE-2026-39829

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Publish Date: 2026-05-22

URL: CVE-2026-39829

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.074%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

CVE-2026-39827

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Publish Date: 2026-05-22

URL: CVE-2026-39827

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.041%

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5016

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

CVE-2026-39828

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Publish Date: 2026-05-22

URL: CVE-2026-39828

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.03%

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5014

Release Date: 2026-05-22

Fix Resolution: golang.org/x/crypto - v0.52.0,https://github.com/golang/crypto.git - v0.52.0

CVE-2026-46598

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Publish Date: 2026-05-22

URL: CVE-2026-46598

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.039%

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

CVE-2026-39835

Vulnerable Library - golang.org/x/crypto-v0.47.0

Library home page: https://proxy.golang.org/golang.org/x/crypto/@⁠v/v0.47.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/crypto/@⁠v/v0.47.0.mod

Dependency Hierarchy:

• github.com/rhysd/go-github-selfupdate-v1.2.3 (Root Library)
  • github.com/google/go-github/v30-v30.1.0
    • ❌ golang.org/x/crypto-v0.47.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

Publish Date: 2026-05-22

URL: CVE-2026-39835

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.019%

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/crypto.git - v0.52.0,golang.org/x/crypto - v0.52.0

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.