Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-05-18 13:50

Modified

2026-05-02 09:30

Summary

Security fixes for CVE-2026-33815, CVE-2026-33816, CVE-2026-34986, CVE-2026-39883, ghsa-hfvc-g4fc-pqhx, ghsa-j88v-2chj-qfwx applied in versions: 1.31.0.153.1-r0, 1.31.0.153.3-r0, 1.31.0.153.3-r1

Details

Multiple security vulnerabilities affect the temporal-server package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2026-33815	WEB
	https://osv.dev/vulnerability/CVE-2026-33816	WEB
	https://osv.dev/vulnerability/CVE-2026-34986	WEB
	https://osv.dev/vulnerability/CVE-2026-39883	WEB
	https://osv.dev/vulnerability/ghsa-hfvc-g4fc-pqhx	WEB
	https://osv.dev/vulnerability/ghsa-j88v-2chj-qfwx	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33815	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33816	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34986	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39883	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "temporal-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.31.0.153.3-r1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the temporal-server package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-OH72236",
  "modified": "2026-05-02T09:30:12Z",
  "published": "2026-05-18T13:50:09.032203Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-OH72236.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33815"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33816"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34986"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39883"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-hfvc-g4fc-pqhx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-j88v-2chj-qfwx"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33815"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33816"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2026-33815, CVE-2026-33816, CVE-2026-34986, CVE-2026-39883, ghsa-hfvc-g4fc-pqhx, ghsa-j88v-2chj-qfwx applied in versions: 1.31.0.153.1-r0, 1.31.0.153.3-r0, 1.31.0.153.3-r1",
  "upstream": [
    "CVE-2026-33815",
    "CVE-2026-33816",
    "CVE-2026-34986",
    "CVE-2026-39883",
    "ghsa-hfvc-g4fc-pqhx",
    "ghsa-j88v-2chj-qfwx"
  ]
}

CVE-2026-33815 (GCVE-0-2026-33815)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-05-14 16:04

Title

CVE-2026-33815 in github.com/jackc/pgx

Summary

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-129 — Improper Validation of Array Index

Assigner

References

1 reference

URL	Tags
https://pkg.go.dev/vuln/GO-2026-4771

Impacted products

1 product

Vendor	Product	Version
github.com/jackc/pgx/v5	github.com/jackc/pgx/v5/pgproto3	Affected: 0 , < 5.9.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:21:42.714758Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:04:02.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/jackc/pgx/v5/pgproto3",
          "product": "github.com/jackc/pgx/v5/pgproto3",
          "programRoutines": [
            {
              "name": "Bind.Decode"
            },
            {
              "name": "Backend.Receive"
            }
          ],
          "vendor": "github.com/jackc/pgx/v5",
          "versions": [
            {
              "lessThan": "5.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-129 \u2014 Improper Validation of Array Index",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T18:30:29.157Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4771"
        }
      ],
      "title": "CVE-2026-33815 in github.com/jackc/pgx"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33815",
    "datePublished": "2026-04-07T15:19:24.344Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-14T16:04:02.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33816 (GCVE-0-2026-33816)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-05-14 16:04

Title

CVE-2026-33816 in github.com/jackc/pgx

Summary

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-697 — Incorrect Comparison

Assigner

References

1 reference

URL	Tags
https://pkg.go.dev/vuln/GO-2026-4772

Impacted products

1 product

Vendor	Product	Version
github.com/jackc/pgx/v5	github.com/jackc/pgx/v5/pgproto3	Affected: 0 , < 5.9.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33816",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:24:50.570972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:04:30.991Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "github.com/jackc/pgx/v5/pgproto3",
          "product": "github.com/jackc/pgx/v5/pgproto3",
          "programRoutines": [
            {
              "name": "FunctionCall.Decode"
            },
            {
              "name": "Backend.Receive"
            }
          ],
          "vendor": "github.com/jackc/pgx/v5",
          "versions": [
            {
              "lessThan": "5.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-697 \u2014 Incorrect Comparison",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T15:49:13.116Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4772"
        }
      ],
      "title": "CVE-2026-33816 in github.com/jackc/pgx"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33816",
    "datePublished": "2026-04-07T15:19:24.529Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-14T16:04:30.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34986 (GCVE-0-2026-34986)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-04-07 14:21

Title

Go JOSE affect by a panic in JWE decryption

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-jose/go-jose/security/advis…	x_refsource_CONFIRM
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-jose	go-jose	Affected: >= 4.0.0, < 4.1.4 Affected: < 3.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:21:42.477191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:21:54.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.4"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:22:45.353Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "source": {
        "advisory": "GHSA-78h2-9frx-2jm8",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE affect by a panic in JWE decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34986",
    "datePublished": "2026-04-06T16:22:45.353Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T14:21:54.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39883 (GCVE-0-2026-39883)

Vulnerability from cvelistv5 – Published: 2026-04-08 20:26 – Updated: 2026-04-10 20:52

Title

OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

Severity ?

7.3 (High)


                        
                          CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-426 - Untrusted Search Path

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_CONFIRM
http://github.com/open-telemetry/opentelemetry-go…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
open-telemetry	opentelemetry-go	Affected: >= 1.15.0, < 1.43.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39883",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T20:52:34.310842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T20:52:54.819Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.15.0, \u003c 1.43.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T20:26:41.731Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
        },
        {
          "name": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
        }
      ],
      "source": {
        "advisory": "GHSA-hfvc-g4fc-pqhx",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39883",
    "datePublished": "2026-04-08T20:26:41.731Z",
    "dateReserved": "2026-04-07T20:32:03.010Z",
    "dateUpdated": "2026-04-10T20:52:54.819Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-HFVC-G4FC-PQHX

Vulnerability from github – Published: 2026-04-08 19:22 – Updated: 2026-04-09 14:29

Summary

opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

Details

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
Attacker places a malicious kenv binary earlier in $PATH
Application initializes OpenTelemetry resource detection at startup
hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Severity ?

7.3 (High)


                  
                    CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.42.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/otel/sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.15.0"
            },
            {
              "fixed": "1.43.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:22:12Z",
    "nvd_published_at": "2026-04-08T21:17:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin `ioreg` command to use an absolute path but left the BSD `kenv` command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.\n\n## Root Cause\n\n`sdk/resource/host_id.go` line 42:\n\n    if result, err := r.execCommand(\"kenv\", \"-q\", \"smbios.system.uuid\"); err == nil {\n\nCompare with the fixed Darwin path at line 58:\n\n    result, err := r.execCommand(\"/usr/sbin/ioreg\", \"-rd1\", \"-c\", \"IOPlatformExpertDevice\")\n\nThe `execCommand` helper at `sdk/resource/host_id_exec.go` uses `exec.Command(name, arg...)` which searches `$PATH` when the command name contains no path separator.\n\nAffected platforms (per build tag in `host_id_bsd.go:4`): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.\n\nThe `kenv` path is reached when `/etc/hostid` does not exist (line 38-40), which is common on FreeBSD systems.\n\n## Attack\n\n1. Attacker has local access to a system running a Go application that imports `go.opentelemetry.io/otel/sdk`\n2. Attacker places a malicious `kenv` binary earlier in `$PATH`\n3. Application initializes OpenTelemetry resource detection at startup\n4. `hostIDReaderBSD.read()` calls `exec.Command(\"kenv\", ...)` which resolves to the malicious binary\n5. Arbitrary code executes in the context of the application\n\nSame attack vector and impact as CVE-2026-24051.\n\n## Suggested Fix\n\nUse the absolute path:\n\n    if result, err := r.execCommand(\"/bin/kenv\", \"-q\", \"smbios.system.uuid\"); err == nil {\n\nOn FreeBSD, `kenv` is located at `/bin/kenv`.",
  "id": "GHSA-hfvc-g4fc-pqhx",
  "modified": "2026-04-09T14:29:41Z",
  "published": "2026-04-08T19:22:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-go"
    },
    {
      "type": "WEB",
      "url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking"
}

GHSA-J88V-2CHJ-QFWX

Vulnerability from github – Published: 2026-04-22 20:46 – Updated: 2026-05-13 13:30

Summary

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

Details

Impact

SQL Injection can occur when:

The non-default simple protocol is used.
A dollar quoted string literal is used in the SQL query.
That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity ?

2.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/jackc/pgx/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/jackc/pgx/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.18.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/jackc/pgx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T20:46:51Z",
    "nvd_published_at": "2026-05-08T17:16:31Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nSQL Injection can occur when:\n\n1. The non-default simple protocol is used.\n2. A dollar quoted string literal is used in the SQL query.\n3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.\n4. The value of that placeholder is controllable by the attacker.\n\ne.g.\n\n```go\nattackValue := `$tag$; drop table canary; --`\n_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)\n```\n\nThis is unlikely to occur outside of a contrived scenario.\n\n### Patches\n\nThe problem is resolved in v5.9.2.\n\n### Workarounds\n\nDo not use the simple protocol to execute queries matching all the above conditions.",
  "id": "GHSA-j88v-2chj-qfwx",
  "modified": "2026-05-13T13:30:26Z",
  "published": "2026-04-22T20:46:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jackc/pgx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jackc/pgx/releases/tag/v5.9.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pgx: SQL Injection via placeholder confusion with dollar quoted string literals"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2026-33815 (GCVE-0-2026-33815)

CVE-2026-33816 (GCVE-0-2026-33816)

CVE-2026-34986 (GCVE-0-2026-34986)

CVE-2026-39883 (GCVE-0-2026-39883)

GHSA-HFVC-G4FC-PQHX

Summary

Root Cause

Attack

Suggested Fix

GHSA-J88V-2CHJ-QFWX

Impact

Patches

Workarounds

Tags

Sightings

Nomenclature