gitsafehub
github.com/revel/revel ↗

revel/revel

scanned 2026-06-30 · git b053175
2 of 6 checks flagged a security issue
🟡 Worth a look
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies21Known OSS vulnerabilities109Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 21 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
    go.mod
    A package you depend on has a known security hole (CVE-2022-27664). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-41723 golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
    go.mod
    A package you depend on has a known security hole (CVE-2022-41723). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
    go.mod
    A package you depend on has a known security hole (CVE-2023-39325). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
    go.mod
    A package you depend on has a known security hole (CVE-2023-45288). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-45338 golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
    go.mod
    A package you depend on has a known security hole (CVE-2024-45338). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25680 Parsing arbitrary HTML can consume excessive CPU time, possibly leadin ...
    go.mod
    A package you depend on has a known security hole (CVE-2026-25680). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25681 Parsing arbitrary HTML which is then rendered using Render can result ...
    go.mod
    A package you depend on has a known security hole (CVE-2026-25681). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27136 Parsing arbitrary HTML which is then rendered using Render can result ...
    go.mod
    A package you depend on has a known security hole (CVE-2026-27136). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33814 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
    go.mod
    A package you depend on has a known security hole (CVE-2026-33814). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39821 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
    go.mod
    A package you depend on has a known security hole (CVE-2026-39821). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42502 Parsing arbitrary HTML which is then rendered using Render can result ...
    go.mod
    A package you depend on has a known security hole (CVE-2026-42502). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42506 Parsing arbitrary HTML which is then rendered using Render can result ...
    go.mod
    A package you depend on has a known security hole (CVE-2026-42506). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
    go.mod
    A package you depend on has a known security hole (CVE-2022-41717). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-3978 golang.org/x/net/html: Cross site scripting
    go.mod
    A package you depend on has a known security hole (CVE-2023-3978). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-22870 golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
    go.mod
    A package you depend on has a known security hole (CVE-2025-22870). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-22872 golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    go.mod
    A package you depend on has a known security hole (CVE-2025-22872). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47911 golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html
    go.mod
    A package you depend on has a known security hole (CVE-2025-47911). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-58190 golang.org/x/net/html: Infinite parsing loop in golang.org/x/net
    go.mod
    A package you depend on has a known security hole (CVE-2025-58190). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-29526 golang: syscall: faccessat checks wrong group
    go.mod
    A package you depend on has a known security hole (CVE-2022-29526). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-28948 golang-gopkg-yaml: crash when attempting to deserialize invalid input
    go.mod
    A package you depend on has a known security hole (CVE-2022-28948). Fix: Update that package to its patched version.
  • FYI CVE-2026-39824 Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
    go.mod
    A package you depend on has a known security hole (CVE-2026-39824). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 109 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GO-2022-0969 Denial of service in net/http and golang.org/x/net/http2
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-27664). Fix: Update that package to its patched version.
  • Worth fixing GO-2022-1144 Excessive memory growth in net/http and golang.org/x/net/http2
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-41717). Fix: Update that package to its patched version.
  • Worth fixing GO-2023-1571 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-41723). Fix: Update that package to its patched version.
  • Worth fixing GO-2023-1988 Improper rendering of text nodes in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2023-3978). Fix: Update that package to its patched version.
  • Worth fixing GO-2023-2102 HTTP/2 rapid reset can cause excessive work in net/http
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2023-39325). Fix: Update that package to its patched version.
  • Worth fixing GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2023-45288). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3503 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2025-22870). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3595 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2025-22872). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qppj-fm5r-hxr3 HTTP/2 Stream Cancellation Attack
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2023-44487). Fix: Update that package to its patched version.
  • Worth fixing GO-2022-0493 Incorrect privilege reporting in syscall and golang.org/x/sys/unix
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-29526). Fix: Update that package to its patched version.
  • Worth fixing GO-2022-0603 Panic in gopkg.in/yaml.v3
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-28948). Fix: Update that package to its patched version.
  • FYI GO-2024-3333 Non-linear parsing of case-insensitive content in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2024-45338). Fix: Update that package to its patched version.
  • FYI GO-2026-4440 Quadratic parsing complexity in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2025-47911). Fix: Update that package to its patched version.
  • FYI GO-2026-4441 Infinite parsing loop in golang.org/x/net
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2025-58190). Fix: Update that package to its patched version.
  • FYI GO-2026-4918 Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-33814). Fix: Update that package to its patched version.
  • FYI GO-2026-5025 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-42506). Fix: Update that package to its patched version.
  • FYI GO-2026-5026 Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-39821). Fix: Update that package to its patched version.
  • FYI GO-2026-5027 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-42502). Fix: Update that package to its patched version.
  • FYI GO-2026-5028 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-25680). Fix: Update that package to its patched version.
  • FYI GO-2026-5029 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-25681). Fix: Update that package to its patched version.
  • FYI GO-2026-5030 Invoking duplicate attributes can cause XSS in golang.org/x/net/html
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-27136). Fix: Update that package to its patched version.
  • FYI GO-2026-5024 Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2026-39824). Fix: Update that package to its patched version.
  • FYI GO-2022-0969 Denial of service in net/http and golang.org/x/net/http2
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-27664). Fix: Update that package to its patched version.
  • FYI GO-2022-1037 Unbounded memory consumption when reading headers in archive/tar
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-2879). Fix: Update that package to its patched version.
  • FYI GO-2022-1038 Incorrect sanitization of forwarded query parameters in net/http/httputil
    /workdirs/scan-68049bf1-5446-459d-8a4b-957ac1b98ca4/go.mod
    A package you depend on has a known security hole (CVE-2022-2880). Fix: Update that package to its patched version.
… 84 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: go:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.