data/reports: add 15 reports

  - data/reports/GO-2025-4133.yaml
  - data/reports/GO-2025-4138.yaml
  - data/reports/GO-2025-4139.yaml
  - data/reports/GO-2025-4146.yaml
  - data/reports/GO-2025-4147.yaml
  - data/reports/GO-2025-4149.yaml
  - data/reports/GO-2025-4150.yaml
  - data/reports/GO-2025-4151.yaml
  - data/reports/GO-2025-4152.yaml
  - data/reports/GO-2025-4153.yaml
  - data/reports/GO-2025-4156.yaml
  - data/reports/GO-2025-4157.yaml
  - data/reports/GO-2025-4158.yaml
  - data/reports/GO-2025-4159.yaml
  - data/reports/GO-2025-4160.yaml

Fixes #4133
Fixes #4138
Fixes #4139
Fixes #4146
Fixes #4147
Fixes #4149
Fixes #4150
Fixes #4151
Fixes #4152
Fixes #4153
Fixes #4156
Fixes #4157
Fixes #4158
Fixes #4159
Fixes #4160

Change-Id: I1d079723dbf4583ea3c0bbc2ac2fb3330a304bce
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/723981
Reviewed-by: Nicholas Husin <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Ethan Lee <[email protected]>

Author: nicholashusin

data/osv/GO-2025-4133.json

@@ -0,0 +1,143 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4133",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-55074",
+    "GHSA-9hh7-6558-qfp2"
+  ],
+  "summary": "Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server",
+  "details": "Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250905150616-ba86dfc5876b6.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "10.5.0+incompatible"
+            },
+            {
+              "fixed": "10.5.12+incompatible"
+            },
+            {
+              "introduced": "10.11.0+incompatible"
+            },
+            {
+              "fixed": "10.11.4+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v5",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v6",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost/server/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "8.0.0-20250905150616-ba86dfc5876b6"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-9hh7-6558-qfp2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55074"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/98acefe911dd9de7edf47a7d825dd99f53141a52"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/d72d437f1567ba0b639b6e4fd73bab06c51baab5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/pull/33835"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/pull/33905"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4133",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-4138.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4138",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-65025",
+    "GHSA-h3mw-4f23-gwpw"
+  ],
+  "summary": "esm.sh CDN service has arbitrary file write via tarslip in github.com/esm-dev/esm.sh",
+  "details": "esm.sh CDN service has arbitrary file write via tarslip in github.com/esm-dev/esm.sh",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/esm-dev/esm.sh",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20251117232647-9d77b88c3207"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65025"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4138",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-4139.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4139",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-65026",
+    "GHSA-hcpf-qv9m-vfgp"
+  ],
+  "summary": "esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript in github.com/esm-dev/esm.sh",
+  "details": "esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript in github.com/esm-dev/esm.sh",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/esm-dev/esm.sh",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20251118065157-87d2f6497574"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65026"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/esm-dev/esm.sh/commit/87d2f6497574bf4448641a5527a3ac2beba5fd6c"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4139",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-4146.json

@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4146",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2018-21258",
+    "GHSA-5mh6-p63g-3mv5"
+  ],
+  "summary": "Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server",
+  "details": "Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v5",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.1.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-5mh6-p63g-3mv5"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-21258"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/af615ffc24b774d76deef8c93282831432669dd8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4146",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-4147.json

@@ -0,0 +1,47 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4147",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-6xvf-4vh9-mw47"
+  ],
+  "summary": "Minder does not sandbox http.send in Rego programs in github.com/mindersec/minder",
+  "details": "Minder does not sandbox http.send in Rego programs in github.com/mindersec/minder",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mindersec/minder",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.0.72"
+            },
+            {
+              "fixed": "0.0.84"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4147",
+    "review_status": "UNREVIEWED"
+  }
+}