chore(deps)(deps): bump go.opentelemetry.io/otel from 1.38.0 to 1.41.0

[dependabot]

Bumps go.opentelemetry.io/otel from 1.38.0 to 1.41.0.

Changelog

Sourced from go.opentelemetry.io/otel's changelog.

[1.41.0/0.63.0/0.17.0/0.0.15] 2026-03-02

This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25].

Added

• Support testing of [Go 1.26]. (#7902)

Fixed

• Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#7880)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#7914)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#7914)
• Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#7914)

[1.40.0/0.62.0/0.16.0] 2026-02-02

Added

• Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)
• Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)
• Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

Changed

• Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)
• Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)
• Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)
• Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)
• Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)
• Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)
• Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)
• The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

Fixed

• Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)
• Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)
• Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

... (truncated)

Commits

• 4575a97 Release 1.41.0/0.63.0/0.17.0/0.0.15 (#7977)
• 66fc10d fix: add error handling for insecure HTTP endpoints with TLS client configura...
• 76e6eec chore(deps): update github/codeql-action action to v4.32.5 (#7980)
• 0d50f90 Revert "Generate semconv/v1.40.0" (#7978)
• c38a4a5 Generate semconv/v1.40.0 (#7929)
• 0f1a224 chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 (#7899)
• c79ebf4 chore(deps): update module github.com/daixiang0/gci to v0.14.0 (#7973)
• f758157 chore(deps): update module github.com/sonatard/noctx to v0.5.0 (#7968)
• 92a1164 fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b...
• 3cd7c27 chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 (#7969)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Labels

The following labels could not be found: go, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	1
Moderate	0
Low	1
Total	2

Click to see details

# npm audit report

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

2 vulnerabilities (1 low, 1 high)

To address all issues, run:
  npm audit fix

[github-actions]

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	6
Moderate	5
Low	0
Total	11

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
node_modules/brace-expansion

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

i18next-http-backend  <3.0.5
Severity: moderate
 i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - https://github.com/advisories/GHSA-q89c-q3h5-w34g
fix available via `npm audit fix`
node_modules/i18next-http-backend

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash-es

minimatch  <=3.1.3 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/minimatch

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/rollup-plugin-visualizer/node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
node_modules/vitest/node_modules/picomatch

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss

protocol-buffers-schema  <3.6.1
Severity: moderate
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution - https://github.com/advisories/GHSA-j452-xhg8-qg39
fix available via `npm audit fix`
node_modules/protocol-buffers-schema

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

vite  7.0.0 - 7.3.1
Severity: high
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - https://github.com/advisories/GHSA-4w7w-66w2-5vf9
Vite: `server.fs.deny` bypassed with queries - https://github.com/advisories/GHSA-v2wj-q39q-566r
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - https://github.com/advisories/GHSA-p9ff-h696-f583
fix available via `npm audit fix`
node_modules/vite

11 vulnerabilities (5 moderate, 6 high)

To address all issues, run:
  npm audit fix

[github-actions]

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity	Count
Critical	0
High	2
Medium	5
Low	3
Total	10

Click to see details

Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.19.9) │ alpine │       10        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.19.9)
======================================
Total: 10 (LOW: 3, MEDIUM: 5, HIGH: 2, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬──────────────────────┬──────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │  Installed Version   │    Fixed Version     │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2024-58251 │ MEDIUM   │ fixed  │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2024-58251 │ MEDIUM   │        │                      │                      │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ musl          │ CVE-2026-40200 │ HIGH     │        │ 1.2.4_git20230717-r5 │ 1.2.4_git20230717-r6 │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ musl-utils    │ CVE-2026-40200 │ HIGH     │        │                      │                      │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┤          │        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2024-58251 │          │        │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
└───────────────┴────────────────┴──────────┴────────┴──────────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘

[github-actions]

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	1
High	6
Medium	5
Low	1
Total	13

Click to see details

Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.13) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │       13        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 13 (LOW: 1, MEDIUM: 5, HIGH: 6, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace- │ CVE-2026-39882 │ MEDIUM   │ fixed  │ v1.24.0           │ 1.43.0         │ OpenTelemetry-Go is the Go implementation of OpenTelemetry. │
│ http                                                         │                │          │        │                   │                │ Prior to 1 ...                                              │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39882                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk                                 │ CVE-2026-24051 │ HIGH     │        │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution │
│                                                              │                │          │        │                   │                │ via PATH Hijacking                                          │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39883 │          │        │                   │ 1.43.0         │ opentelemetry-go: BSD kenv command not using absolute path  │
│                                                              │                │          │        │                   │                │ enables PATH hijacking                                      │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39883                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3         │ google.golang.org/grpc/grpc-go:                             │
│                                                              │                │          │        │                   │                │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass │
│                                                              │                │          │        │                   │                │ due to improper HTTP/2 path validation                      │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-33186                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32280 │          │        │                   │ 1.25.9, 1.26.2 │ crypto/x509: crypto/tls: golang: Go: Denial of Service      │
│                                                              │                │          │        │                   │                │ vulnerability in certificate chain building...              │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32280                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32281 │          │        │                   │                │ crypto/x509: golang: Go crypto/x509: Denial of Service via  │
│                                                              │                │          │        │                   │                │ inefficient certificate chain validation...                 │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32281                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32283 │          │        │                   │                │ If one side of the TLS connection sends multiple key update │
│                                                              │                │          │        │                   │                │ messages...                                                 │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32283                  │
│                                                              ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27142 │ MEDIUM   │        │                   │ 1.25.8, 1.26.1 │ html/template: URLs in meta content attribute actions are   │
│                                                              │                │          │        │                   │                │ not escaped in html/template...                             │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32282 │          │        │                   │ 1.25.9, 1.26.2 │ golang: internal/syscall/unix: Root.Chmod can follow        │
│                                                              │                │          │        │                   │                │ symlinks out of the root                                    │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32282                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32288 │          │        │                   │                │ archive/tar: golang: Go's archive/tar package: Denial of    │
│                                                              │                │          │        │                   │                │ Service via maliciously-crafted archive                     │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32288                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32289 │          │        │                   │                │ html/template: golang: html/template: Cross-Site Scripting  │
│                                                              │                │          │        │                   │                │ (XSS) via improper context and brace depth...               │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32289                  │
│                                                              ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27139 │ LOW      │        │                   │ 1.25.8, 1.26.1 │ os: FileInfo can escape from a Root in golang os module     │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘