Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Friday's disclosures reveal significant exposure across AWS services, with CVE-2026-40175 (CVSS 10.0) enabling IMDSv2 bypass and CVE-2026-5058/CVE-2026-5059 (CVSS 9.8) affecting AWS CLI and aws-mcp-server. Twenty critical vulnerabilities were disclosed, a 39% decrease from the prior day's 33, while 100 high-priority CVEs held steady. Additional critical flaws include CVE-2026-4149 (CVSS 10.0) in Sonos Era 300 smart speakers, CVE-2026-5412 (CVSS 9.9) in Canonical Juju, and CVE-2026-34621 (CVSS 9.6) in Adobe Acrobat Reader. Remote code execution and authentication bypass patterns dominate, spanning cloud infrastructure, consumer IoT, and document processing software. No patches are currently available for any disclosed vulnerabilities, requiring defenders to prioritize compensating controls and network-level mitigations.
Three AWS services affected by critical vulnerabilities: IMDSv2 bypass (CVSS 10.0), CLI command injection (CVSS 9.8), and MCP server flaw (CVSS 9.8)
20 critical CVEs disclosed, down 39% from the prior day's 33; two carry maximum CVSS 10.0 scores
100 high-priority CVEs unchanged from the prior day, maintaining elevated disclosure volume
RCE and authentication bypass dominate attack patterns across Sonos IoT devices, Adobe Acrobat Reader, Canonical Juju, and Totolink routers
Zero patches available across all 120 disclosed vulnerabilities β compensating controls required
2 actively exploited vulnerabilities identified in Google Dawn and TrueConf Client (both CVSS 9.5)
Immediate action: Prioritize AWS environments for immediate review β audit IMDSv2 configurations, restrict AWS CLI and MCP server access, and apply network segmentation around Sonos Era 300 and Totolink A7100RU devices. With no patches currently available for any of the 120 disclosed CVEs, implement WAF rules, disable unnecessary services, and monitor for exploitation indicators on Google Dawn and TrueConf Client.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-5281
9.5π
GoogleDawn
β° Federal Deadline:April 14, 2026(4 days remaining)
A use-after-free vulnerability exists in the Dawn component of Google Chrome. This flaw allows attackers to potentially execute arbitrary code or cause a denial-of-service via a crafted HTML page.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-3502
9.5
TrueConfClient
β° Federal Deadline:April 15, 2026(5 days remaining)
TrueConf Client Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-40175
10π
AWSIMDSv2 bypass
Axios is vulnerable to a prototype pollution attack chain that can be escalated to remote code execution or AWS IMDSv2 bypass.
CVSS Base10
β
CRSSelect profile
CVE-2026-32892
9.1π
HPpasses user
Chamilo LMS contains an OS Command Injection vulnerability in its file move function, allowing authenticated users to execute arbitrary commands on the underlying server.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-1115
9.6π
parisneolollms
A stored Cross-Site Scripting (XSS) vulnerability in the lollms social feature allows unauthenticated attackers to inject malicious JavaScript, leading to potential account takeover.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-34621
9.6π
Acrobat ReaderAcrobat Reader
Adobe Acrobat Reader is vulnerable to prototype pollution, which can result in arbitrary code execution when a victim opens a malicious file.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-5059
9.8π
AWSCLI Command
The aws-mcp-server is vulnerable to remote code execution via AWS CLI command injection, allowing attackers to execute arbitrary system commands without authentication.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-4149
10π
Sonos EraEra 300
The Sonos Era 300 is vulnerable to remote code execution due to an out-of-bounds memory access issue within SMB response handling.
CVSS Base10
β
CRSSelect profile
CVE-2026-6057
9.8π
the fileBrowser
FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API, leading to remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5058
9.8π
AWSaws-mcp-server
The aws-mcp-server is vulnerable to remote code execution via command injection due to improper validation of user-supplied input in the allowed commands list.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5412
9.9π
In JujuJuju
Juju contains an authorization flaw in the Controller facade that allows authenticated users to extract sensitive cloud credentials.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-5993
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setWiFiGuestCfg function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5994
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setTelnetCfg function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5995
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setMiniuiHomeInfoShow function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5996
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler, allowing unauthenticated attackers to execute arbitrary system commands via the tty_server argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5997
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability in the Totolink A7100RU CGI handler allows unauthenticated attackers to execute arbitrary system commands via the admpass argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6025
9.8π
TotolinkA7100RU
An OS command injection vulnerability in the Totolink A7100RU CGI handler allows unauthenticated remote attackers to execute arbitrary commands via the enable argument in setSyslogCfg.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6026
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler, allowing unauthenticated attackers to execute commands via the enable argument in setPortalConfWeChat.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6027
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability in the Totolink A7100RU CGI handler allows unauthenticated remote attackers to execute commands via the enable argument in setUrlFilterRules.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6028
9.8π
TotolinkA7100RU
The Totolink A7100RU router is vulnerable to remote OS command injection in the setPptpServerCfg function, which is publicly exploitable.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6029
9.8π
TotolinkA7100RU
The Totolink A7100RU router is vulnerable to remote OS command injection in the setVpnAccountCfg function, which is publicly exploitable.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-33707
9.4π
ChamiloLMS
Chamilo LMS uses a predictable, non-random token generation mechanism for password resets, allowing unauthenticated attackers to hijack user accounts.
CVSS Base9.4
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-13914
8.7
SSHNetworks Apstra
A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM
attacker to impersonate managed devices
CVSS Base8.7
β
CRSSelect profile
CVE-2026-29146
7.5π
Oraclevulnerability in
Apache Tomcatβs EncryptInterceptor contains a Padding Oracle vulnerability when running under default configurations, potentially allowing for cryptographic attacks.
CVSS Base7.5
β
CRSSelect profile
CVE-2025-58913
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion
CVSS Base8.1
β
CRSSelect profile
CVE-2026-34483
7.5
ApacheTomcat
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40158
8.6
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base8.6
β
CRSSelect profile
CVE-2026-40113
8.4
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base8.4
β
CRSSelect profile
CVE-2026-30478
8.8
GatewayGeo MapServerMultiple Products
A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable
CVSS Base8.8
β
CRSSelect profile
CVE-2023-54359
8.2π Late Disclosure
WordPressadivaha Travel
WordPress adivaha Travel Plugin 2
CVSS Base8.2
β
CRSSelect profile
CVE-2026-39942
8.5
UnknownMultiple Products
Directus is a real-time API and App dashboard for managing SQL database content
CVSS Base8.5
β
CRSSelect profile
CVE-2026-40149
7.9
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base7.9
β
CRSSelect profile
CVE-2026-40156
7.8
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40150
7.7
Teamssystem
PraisonAIAgents is a multi-agent teams system
CVSS Base7.7
β
CRSSelect profile
CVE-2026-24880
7.5
Apache Tomcat viaTomcat via
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension
CVSS Base7.5
β
CRSSelect profile
CVE-2026-29129
7.5
ApacheTomcat
Configured cipher preference order not preserved vulnerability in Apache Tomcat
CVSS Base7.5
β
CRSSelect profile
CVE-2026-34486
7.5
Apache Tomcat due toTomcat due
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to theΒ fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor
CVSS Base7.5
β
CRSSelect profile
CVE-2026-34487
7.5π
KubernetesTomcat exposed
The cloud membership component of Apache Tomcat contains a vulnerability that inadvertently logs sensitive Kubernetes bearer tokens, leading to potential unauthorized access.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40116
7.5
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base7.5
β
CRSSelect profile
CVE-2026-5144
8.8
WordPressis vulnerable
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-32252
7.7
UnknownMultiple Products
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts
CVSS Base7.7
β
CRSSelect profile
CVE-2026-39974
8.5π
Oraclen8n-MCP
The n8n-MCP server contains an unspecified vulnerability that may expose sensitive documentation, properties, and operations to unauthorized AI assistants.
CVSS Base8.5
β
CRSSelect profile
CVE-2026-40163
8.2
UnknownMultiple Products
Saltcorn is an extensible, open source, no-code database application builder
CVSS Base8.2
β
CRSSelect profile
CVE-2026-4351
8.1
WordPressis vulnerable
The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2
CVSS Base8.1
β
CRSSelect profile
CVE-2026-33785
8.8
CLI of JuniperNetworks Junos
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices
CVSS Base8.8
β
CRSSelect profile
CVE-2026-33618
8.8
HPcode into
Chamilo LMS is a learning management system
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47961
8.1π Late Disclosure
VPNSSL VPN
A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1
CVSS Base8.1
β
CRSSelect profile
CVE-2026-3360
7.5
WordPressis vulnerable
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3
CVSS Base7.5
β
CRSSelect profile
CVE-2026-31939
8.3
HPleading to
Chamilo LMS is a learning management system
CVSS Base8.3
β
CRSSelect profile
CVE-2026-34734
7.8
F5is software
HDF5 is software for managing data
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33788
7.8
Flexible PICNetworks Junos
A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33793
7.8
User InterfaceNetworks Junos
An Execution with Unnecessary Privileges vulnerabilityΒ in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system
CVSS Base7.8
β
CRSSelect profile
CVE-2025-62188
7.5
ApacheDolphinScheduler
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33266
7.5
ApacheOpenMeetings
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings
CVSS Base7.5
β
CRSSelect profile
CVE-2026-34020
7.5
ApacheOpenMeetings
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40046
7.5
ApacheActiveMQ
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33778
7.5
IPsec libraryNetworks Junos
An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33790
7.5
flow daemonNetworks Junos
An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart
CVSS Base7.5
β
CRSSelect profile
CVE-2026-22750
7.5
CloudMultiple Products
When configuring SSL bundles in Spring Cloud Gateway by using the configuration propertyΒ spring
CVSS Base7.5
β
CRSSelect profile
CVE-2026-34578
8.2
Archfilter without
OPNsense is a FreeBSD based firewall and routing platform
CVSS Base8.2
β
CRSSelect profile
CVE-2026-25203
7.8
SamsungMagicINFO
Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability
This issue affects MagicINFO 9 Server: less than 21
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33092
7.8
AcronisTrue Image
Local privilege escalation due to improper handling of environment variables
CVSS Base7.8
β
CRSSelect profile
CVE-2026-5055
7.8
ArchPath Element
NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40070
8.1
UnknownMultiple Products
BSV Ruby SDK is the Ruby SDK for the BSV blockchain
CVSS Base8.1
β
CRSSelect profile
CVE-2026-5979
8.8
D-LinkDIR
A vulnerability was detected in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5980
8.8
D-LinkDIR
A flaw has been found in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5981
8.8
D-LinkDIR
A vulnerability has been found in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5982
8.8
D-LinkDIR
A vulnerability was found in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5983
8.8
D-LinkDIR
A vulnerability was determined in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5984
8.8
D-LinkDIR
A vulnerability was identified in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5988
8.8
TendaF451
A vulnerability was detected in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5989
8.8
TendaF451
A flaw has been found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5990
8.8
TendaF451
A vulnerability has been found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5991
8.8
TendaF451
A vulnerability was found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5992
8.8
TendaF451
A vulnerability was determined in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6012
8.8
D-LinkDIR
A security vulnerability has been detected in D-Link DIR-513 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6013
8.8
D-LinkDIR
A vulnerability was detected in D-Link DIR-513 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6014
8.8
D-LinkDIR
A flaw has been found in D-Link DIR-513 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6015
8.8
TendaAC9
A vulnerability has been found in Tenda AC9 15
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6016
8.8
TendaAC9
A vulnerability was found in Tenda AC9 15
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39853
7.8
MSIMultiple Products
osslsigncode is a tool that implements Authenticode signing and timestamping
A flaw was found in odh-dashboard in Red Hat Openshift AI
CVSS Base8.5
β
CRSSelect profile
CVE-2026-1584
7.5
UnknownMultiple Products
A flaw was found in gnutls
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40069
7.5
UnknownMultiple Products
BSV Ruby SDK is the Ruby SDK for the BSV blockchain
CVSS Base7.5
β
CRSSelect profile
CVE-2026-40217
8.8
LiteLLMMultiple Products
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI
CVSS Base8.8
β
CRSSelect profile
CVE-2026-4436
8.6
UnknownMultiple Products
A low-privileged remote attacker can send Modbus packets to manipulate
register values that are inputs to the odorant injection logic such that
too much or too little odorant is injected into a gas line
CVSS Base8.6
β
CRSSelect profile
CVE-2026-5329
8.5
priorMultiple Products
Rapid7 Velociraptor versions prior to 0
CVSS Base8.5
β
CRSSelect profile
CVE-2026-5054
7.8
UnknownMultiple Products
NoMachine External Control of File Path Local Privilege Escalation Vulnerability
CVSS Base7.8
β
CRSSelect profile
CVE-2026-39911
8.8
throughMultiple Products
Hashgraph Guardian through version 3
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39981
8.8
UnknownMultiple Products
AGiXT is a dynamic AI Agent Automation Platform
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35638
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35639
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35643
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35663
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35666
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35669
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39983
8.6
FTPMultiple Products
basic-ftp is an FTP client for Node
CVSS Base8.6
β
CRSSelect profile
CVE-2026-35595
8.3
ArchMultiple Products
Vikunja is an open-source self-hosted task management platform
CVSS Base8.3
β
CRSSelect profile
CVE-2026-40168
8.2
UnknownMultiple Products
Postiz is an AI social media scheduling tool
CVSS Base8.2
β
CRSSelect profile
CVE-2026-40093
8.1
UnknownMultiple Products
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation
CVSS Base8.1
β
CRSSelect profile
CVE-2026-34512
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35645
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35653
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35660
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40200
8.1
muslMultiple Products
An issue was discovered in musl libc 0
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35625
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
β
CRSSelect profile
CVE-2026-28704
7.8
UnknownMultiple Products
Emocheck insecurely loads Dynamic Link Libraries (DLLs)
CVSS Base7.8
β
CRSSelect profile
CVE-2026-35641
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
β
CRSSelect profile
CVE-2026-39843
7.7
UnknownMultiple Products
Plane is an an open-source project management tool
CVSS Base7.7
β
CRSSelect profile
CVE-2026-35668
7.7
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.7
β
CRSSelect profile
CVE-2026-31941
7.7
SocialMultiple Products
Chamilo LMS is a learning management system
CVSS Base7.7
β
CRSSelect profile
CVE-2026-40188
7.7
UnknownMultiple Products
goshs is a SimpleHTTPServer written in Go
CVSS Base7.7
β
CRSSelect profile
CVE-2026-4660
7.5π
HashiCorpgo-getter
HashiCorpβs go-getter library contains a vulnerability, potentially related to improper handling of remote resources, that could lead to security risks in dependent applications.