| google.golang.org/grpc | v1.72.0 | CRITICAL | GHSA-p77j-4mvh-x3m3 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading slash in :path |
| github.com/buger/jsonparser | v1.1.1 | HIGH | GHSA-6g7g-w4f8-9c9x | 1.1.2 | github.com/buger/jsonparser has a denial of service vulnerability |
| go.opentelemetry.io/otel/sdk | v1.35.0 | HIGH | GHSA-9h8m-3fm2-qjrq | 1.40.0 | OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking |
| go.opentelemetry.io/otel/sdk | v1.35.0 | HIGH | GHSA-hfvc-g4fc-pqhx | 1.43.0 | opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking |
| golang.org/x/crypto | v0.42.0 | MEDIUM | GHSA-j5w8-q4qc-rx2x | 0.45.0 | golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption |
| github.com/prometheus/prometheus | v0.303.0 | MEDIUM | GHSA-vffh-x6r8-xx99 | 0.311.2-0.20260410083055-07c6232d159b | Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer |
| golang.org/x/crypto | v0.42.0 | MEDIUM | GHSA-f6x5-jh6r-wrfv | 0.45.0 | golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read |