data/reports: add 18 reports

  - data/reports/GO-2025-4176.yaml
  - data/reports/GO-2025-4177.yaml
  - data/reports/GO-2025-4178.yaml
  - data/reports/GO-2025-4179.yaml
  - data/reports/GO-2025-4180.yaml
  - data/reports/GO-2025-4181.yaml
  - data/reports/GO-2025-4182.yaml
  - data/reports/GO-2025-4183.yaml
  - data/reports/GO-2025-4184.yaml
  - data/reports/GO-2025-4185.yaml
  - data/reports/GO-2025-4186.yaml
  - data/reports/GO-2025-4187.yaml
  - data/reports/GO-2025-4189.yaml
  - data/reports/GO-2025-4190.yaml
  - data/reports/GO-2025-4192.yaml
  - data/reports/GO-2025-4193.yaml
  - data/reports/GO-2025-4197.yaml
  - data/reports/GO-2025-4198.yaml

Fixes #4176
Fixes #4177
Fixes #4178
Fixes #4179
Fixes #4180
Fixes #4181
Fixes #4182
Fixes #4183
Fixes #4184
Fixes #4185
Fixes #4186
Fixes #4187
Fixes #4189
Fixes #4190
Fixes #4192
Fixes #4193
Fixes #4197
Fixes #4198

Change-Id: Ie8193b4e4cf42b40c9071607da08d881014eee44
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/727480
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Markus Kusano <[email protected]>
Auto-Submit: Ethan Lee <[email protected]>

Author: ethanalee-work

data/osv/GO-2025-4176.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4176",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-65105",
+    "GHSA-j3rw-fx6g-q46j"
+  ],
+  "summary": "Apptainer ineffectively applies selinux and apparmor --security options in github.com/apptainer/apptainer",
+  "details": "Apptainer ineffectively applies selinux and apparmor --security options in github.com/apptainer/apptainer",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/apptainer/apptainer",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65105"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/apptainer/apptainer/pull/3226"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4176",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-4177.json

@@ -0,0 +1,96 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4177",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-64750",
+    "GHSA-wwrx-w7c9-rf87"
+  ],
+  "summary": "Singluarity ineffectively applies of selinux / apparmor LSM process labels in github.com/sylabs/singularity",
+  "details": "Singluarity ineffectively applies of selinux / apparmor LSM process labels in github.com/sylabs/singularity.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/sylabs/singularity/v4 before v4.1.11.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/sylabs/singularity",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/sylabs/singularity/v4",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "4.1.11"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64750"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/sylabs/singularity/pull/3850"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/advisories/GHSA-fh74-hm69-rqjw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4177",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-4178.json

@@ -0,0 +1,133 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4178",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-13870",
+    "GHSA-58w6-w55x-6wq8"
+  ],
+  "summary": "Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost",
+  "details": "Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "10.5.0+incompatible"
+            },
+            {
+              "fixed": "10.5.13+incompatible"
+            },
+            {
+              "introduced": "10.11.0+incompatible"
+            },
+            {
+              "fixed": "10.11.5+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v5",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost-server/v6",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/mattermost/mattermost/server/v8",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.0.0-20250905150616-ba86dfc5876b"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-58w6-w55x-6wq8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13870"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4178",
+    "review_status": "UNREVIEWED"
+  }
+}

data/osv/GO-2025-4179.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4179",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-64443",
+    "GHSA-46gc-mwh4-cc5r"
+  ],
+  "summary": "Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode in github.com/docker/mcp-gateway",
+  "details": "Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode in github.com/docker/mcp-gateway",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/docker/mcp-gateway",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.28.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/docker/mcp-gateway/security/advisories/GHSA-46gc-mwh4-cc5r"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64443"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/docker/mcp-gateway/commit/6b076b2479d8d1345c50c112119c62978d46858e"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/docker/mcp-gateway/commit/fe073985c8eb6e0c9317d2f198c07686f70ea06d"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/docker/mcp-gateway/pull/190"
+    },
+    {
+      "type": "WEB",
+      "url": "https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4179",
+    "review_status": "UNREVIEWED"
+  }
+}