chore(deps)(deps): bump i18next-http-backend from 3.0.2 to 3.0.5 in /web by dependabot[bot] · Pull Request #51 · PatrickFanella/subcults

dependabot · 2026-04-22T18:10:17Z

Bumps i18next-http-backend from 3.0.2 to 3.0.5.

Changelog

Sourced from i18next-http-backend's changelog.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)

security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process

security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)

security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath

security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers

chore: ignore .env* and *.pem/*.key files in .gitignore

3.0.4

use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths

Commits

5757fa3 3.0.5
4cee84f security: hardening for 3.0.5
4cbc487 Bump next from 16.2.1 to 16.2.3 in /example/next (#180)
0d7dcbb make last change more clear
c740e01 year
e1dc72b changelog fix
4dbb485 3.0.4
5f33a0c use own interpolation function for loadPath and addPath instead of relying on...
681c09d update ci actions
e63ff16 adjust deno test
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend) from 3.0.2 to 3.0.5. - [Changelog](https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md) - [Commits](i18next/i18next-http-backend@v3.0.2...v3.0.5) --- updated-dependencies: - dependency-name: i18next-http-backend dependency-version: 3.0.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-04-22T18:10:17Z

Labels

The following labels could not be found: frontend, npm, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

github-actions · 2026-04-22T18:11:00Z

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	1
Moderate	0
Low	1
Total	2

Click to see details

# npm audit report

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

2 vulnerabilities (1 low, 1 high)

To address all issues, run:
  npm audit fix

github-actions · 2026-04-22T18:11:10Z

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	6
Moderate	3
Low	0
Total	9

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
node_modules/brace-expansion

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash-es

minimatch  <=3.1.3 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/minimatch

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/rollup-plugin-visualizer/node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
node_modules/vitest/node_modules/picomatch

protocol-buffers-schema  <3.6.1
Severity: moderate
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution - https://github.com/advisories/GHSA-j452-xhg8-qg39
fix available via `npm audit fix`
node_modules/protocol-buffers-schema

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

vite  7.0.0 - 7.3.1
Severity: high
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - https://github.com/advisories/GHSA-4w7w-66w2-5vf9
Vite: `server.fs.deny` bypassed with queries - https://github.com/advisories/GHSA-v2wj-q39q-566r
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - https://github.com/advisories/GHSA-p9ff-h696-f583
fix available via `npm audit fix`
node_modules/vite

9 vulnerabilities (3 moderate, 6 high)

To address all issues, run:
  npm audit fix

github-actions · 2026-04-22T18:12:25Z

Docker Image Scan Results - Dockerfile.api

Image: subcults-api:scan

Severity	Count
Critical	1
High	7
Medium	8
Low	1
Total	17

Click to see details


Report Summary

┌───────────────────────────────────┬──────────┬─────────────────┬─────────┐
│              Target               │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-api:scan (alpine 3.21.7) │  alpine  │        0        │    -    │
├───────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/api                           │ gobinary │       17        │    -    │
└───────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/api (gobinary)
==================
Total: 17 (LOW: 1, MEDIUM: 8, HIGH: 7, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│                           Library                            │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream        │ GHSA-xmrv-pmrh-hhx2 │ MEDIUM   │ fixed  │ v1.7.4            │ 1.7.8          │ Denial of Service due to Panic in AWS SDK for Go v2...       │
│                                                              │                     │          │        │                   │                │ https://github.com/advisories/GHSA-xmrv-pmrh-hhx2            │
├──────────────────────────────────────────────────────────────┤                     │          │        ├───────────────────┼────────────────┤                                                              │
│ github.com/aws/aws-sdk-go-v2/service/s3                      │                     │          │        │ v1.95.1           │ 1.97.3         │                                                              │
│                                                              │                     │          │        │                   │                │                                                              │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v3                                │ CVE-2026-34986      │ HIGH     │        │ v3.0.4            │ 3.0.5          │ github.com/go-jose/go-jose/v3:                               │
│                                                              │                     │          │        │                   │                │ github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service    │
│                                                              │                     │          │        │                   │                │ via crafted JSON Web Encryption...                           │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-34986                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/pion/dtls/v3                                      │ CVE-2026-26014      │ MEDIUM   │        │ v3.0.7            │ 3.1.1, 3.0.11  │ github.com/pion/dtls: Pion DTLS uses random nonce generation │
│                                                              │                     │          │        │                   │                │ with AES GCM ciphers risks...                                │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-26014                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┤          │        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace- │ CVE-2026-39882      │          │        │ v1.24.0           │ 1.43.0         │ OpenTelemetry-Go is the Go implementation of OpenTelemetry.  │
│ http                                                         │                     │          │        │                   │                │ Prior to 1 ...                                               │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39882                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk                                 │ CVE-2026-24051      │ HIGH     │        │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution  │
│                                                              │                     │          │        │                   │                │ via PATH Hijacking                                           │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                   │
│                                                              ├─────────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39883      │          │        │                   │ 1.43.0         │ opentelemetry-go: BSD kenv command not using absolute path   │
│                                                              │                     │          │        │                   │                │ enables PATH hijacking                                       │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39883                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ CVE-2026-33186      │ CRITICAL │        │ v1.77.0           │ 1.79.3         │ google.golang.org/grpc/grpc-go:                              │
│                                                              │                     │          │        │                   │                │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass  │
│                                                              │                     │          │        │                   │                │ due to improper HTTP/2 path validation                       │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-33186                   │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2026-25679      │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url  │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                   │
│                                                              ├─────────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32280      │          │        │                   │ 1.25.9, 1.26.2 │ crypto/x509: crypto/tls: golang: Go: Denial of Service       │
│                                                              │                     │          │        │                   │                │ vulnerability in certificate chain building...               │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32280                   │
│                                                              ├─────────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32281      │          │        │                   │                │ crypto/x509: golang: Go crypto/x509: Denial of Service via   │
│                                                              │                     │          │        │                   │                │ inefficient certificate chain validation...                  │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32281                   │
│                                                              ├─────────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32283      │          │        │                   │                │ If one side of the TLS connection sends multiple key update  │
│                                                              │                     │          │        │                   │                │ messages...                                                  │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32283                   │
│                                                              ├─────────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27142      │ MEDIUM   │        │                   │ 1.25.8, 1.26.1 │ html/template: URLs in meta content attribute actions are    │
│                                                              │                     │          │        │                   │                │ not escaped in html/template...                              │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                   │
│                                                              ├─────────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32282      │          │        │                   │ 1.25.9, 1.26.2 │ golang: internal/syscall/unix: Root.Chmod can follow         │
│                                                              │                     │          │        │                   │                │ symlinks out of the root                                     │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32282                   │
│                                                              ├─────────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32288      │          │        │                   │                │ archive/tar: golang: Go's archive/tar package: Denial of     │
│                                                              │                     │          │        │                   │                │ Service via maliciously-crafted archive                      │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32288                   │
│                                                              ├─────────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32289      │          │        │                   │                │ html/template: golang: html/template: Cross-Site Scripting   │
│                                                              │                     │          │        │                   │                │ (XSS) via improper context and brace depth...                │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32289                   │
│                                                              ├─────────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27139      │ LOW      │        │                   │ 1.25.8, 1.26.1 │ os: FileInfo can escape from a Root in golang os module      │
│                                                              │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                   │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

github-actions · 2026-04-22T18:12:26Z

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity	Count
Critical	0
High	2
Medium	5
Low	3
Total	10

Click to see details


Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.19.9) │ alpine │       10        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.19.9)
======================================
Total: 10 (LOW: 3, MEDIUM: 5, HIGH: 2, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬──────────────────────┬──────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │  Installed Version   │    Fixed Version     │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2024-58251 │ MEDIUM   │ fixed  │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2024-58251 │ MEDIUM   │        │                      │                      │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ musl          │ CVE-2026-40200 │ HIGH     │        │ 1.2.4_git20230717-r5 │ 1.2.4_git20230717-r6 │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ musl-utils    │ CVE-2026-40200 │ HIGH     │        │                      │                      │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┤          │        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2024-58251 │          │        │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
└───────────────┴────────────────┴──────────┴────────┴──────────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘

github-actions · 2026-04-22T18:12:49Z

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	1
High	6
Medium	5
Low	1
Total	13

Click to see details


Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.13) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │       13        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 13 (LOW: 1, MEDIUM: 5, HIGH: 6, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace- │ CVE-2026-39882 │ MEDIUM   │ fixed  │ v1.24.0           │ 1.43.0         │ OpenTelemetry-Go is the Go implementation of OpenTelemetry. │
│ http                                                         │                │          │        │                   │                │ Prior to 1 ...                                              │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39882                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk                                 │ CVE-2026-24051 │ HIGH     │        │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution │
│                                                              │                │          │        │                   │                │ via PATH Hijacking                                          │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39883 │          │        │                   │ 1.43.0         │ opentelemetry-go: BSD kenv command not using absolute path  │
│                                                              │                │          │        │                   │                │ enables PATH hijacking                                      │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39883                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3         │ google.golang.org/grpc/grpc-go:                             │
│                                                              │                │          │        │                   │                │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass │
│                                                              │                │          │        │                   │                │ due to improper HTTP/2 path validation                      │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-33186                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32280 │          │        │                   │ 1.25.9, 1.26.2 │ crypto/x509: crypto/tls: golang: Go: Denial of Service      │
│                                                              │                │          │        │                   │                │ vulnerability in certificate chain building...              │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32280                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32281 │          │        │                   │                │ crypto/x509: golang: Go crypto/x509: Denial of Service via  │
│                                                              │                │          │        │                   │                │ inefficient certificate chain validation...                 │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32281                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32283 │          │        │                   │                │ If one side of the TLS connection sends multiple key update │
│                                                              │                │          │        │                   │                │ messages...                                                 │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32283                  │
│                                                              ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27142 │ MEDIUM   │        │                   │ 1.25.8, 1.26.1 │ html/template: URLs in meta content attribute actions are   │
│                                                              │                │          │        │                   │                │ not escaped in html/template...                             │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32282 │          │        │                   │ 1.25.9, 1.26.2 │ golang: internal/syscall/unix: Root.Chmod can follow        │
│                                                              │                │          │        │                   │                │ symlinks out of the root                                    │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32282                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32288 │          │        │                   │                │ archive/tar: golang: Go's archive/tar package: Denial of    │
│                                                              │                │          │        │                   │                │ Service via maliciously-crafted archive                     │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32288                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32289 │          │        │                   │                │ html/template: golang: html/template: Cross-Site Scripting  │
│                                                              │                │          │        │                   │                │ (XSS) via improper context and brace depth...               │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32289                  │
│                                                              ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27139 │ LOW      │        │                   │ 1.25.8, 1.26.1 │ os: FileInfo can escape from a Root in golang os module     │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 22, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps)(deps): bump i18next-http-backend from 3.0.2 to 3.0.5 in /web#51

chore(deps)(deps): bump i18next-http-backend from 3.0.2 to 3.0.5 in /web#51
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/web/i18next-http-backend-3.0.5

dependabot Bot commented on behalf of github Apr 22, 2026

Uh oh!

dependabot Bot commented on behalf of github Apr 22, 2026

Uh oh!

github-actions Bot commented Apr 22, 2026

Uh oh!

github-actions Bot commented Apr 22, 2026

Uh oh!

github-actions Bot commented Apr 22, 2026

Uh oh!

github-actions Bot commented Apr 22, 2026

Uh oh!

github-actions Bot commented Apr 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 22, 2026

3.0.5

3.0.4

Uh oh!

dependabot Bot commented on behalf of github Apr 22, 2026

Labels

Uh oh!

github-actions Bot commented Apr 22, 2026

NPM Vulnerability Scan Results - e2e

Uh oh!

github-actions Bot commented Apr 22, 2026

NPM Vulnerability Scan Results - web

Uh oh!

github-actions Bot commented Apr 22, 2026

Docker Image Scan Results - Dockerfile.api

Uh oh!

github-actions Bot commented Apr 22, 2026

Docker Image Scan Results - Dockerfile.frontend

Uh oh!

github-actions Bot commented Apr 22, 2026

Docker Image Scan Results - Dockerfile.indexer

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants