gitsafehub
github.com/shadow1ng/fscan ↗

shadow1ng/fscan

scanned 2026-06-30 · git d7dbcca
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies79Known OSS vulnerabilities193Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 79 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2024-45337 golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2024-45337). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-22869). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47913 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-47913). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39827 An authenticated SSH client that repeatedly opened channels which were ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39827). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39828 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39828). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39829). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39830 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39830). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39832 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39832). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39835 SSH servers which use CertChecker as a public key callback without set ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39835). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42508 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-42508). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46595 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-46595). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46597 An incorrectly placed cast from bytes to int allowed for server-side p ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-46597). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47914 golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-47914). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-58181 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-58181). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39831 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nis ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39831). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39833 The in-memory keyring returned by NewKeyring() silently accepted keys ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39833). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39834 When writing data larger than 4GB in a single Write call on an SSH cha ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39834). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46598 golang.org/x/crypto/ssh/agent: golang: golang.org/x/crypto/ssh/agent: Denial of Service via malformed input
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-46598). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2023-45288). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-45338 golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2024-45338). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25680 Parsing arbitrary HTML can consume excessive CPU time, possibly leadin ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-25680). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25681 Parsing arbitrary HTML which is then rendered using Render can result ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-25681). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-27136 Parsing arbitrary HTML which is then rendered using Render can result ...
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-27136). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33814 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-33814). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39821 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
    fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2026-39821). Fix: Update that package to its patched version.
… 54 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 193 found · 1 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GO-2024-3321 Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2024-45337). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3487 Potential denial of service in golang.org/x/crypto
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-22869). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-4134 Unbounded memory consumption in golang.org/x/crypto/ssh
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-58181). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-4135 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-47914). Fix: Update that package to its patched version.
  • Worth fixing GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2023-45288). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3503 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-22870). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3595 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/fscan-lab/backend/go.mod
    A package you depend on has a known security hole (CVE-2025-22872). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pjcq-xvwq-hhpj go-ntlmssp NTLM challenges can panic on malformed payloads
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/go.mod
    A package you depend on has a known security hole (CVE-2026-32952). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3487 Potential denial of service in golang.org/x/crypto
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/go.mod
    A package you depend on has a known security hole (CVE-2025-22869). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-4134 Unbounded memory consumption in golang.org/x/crypto/ssh
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/go.mod
    A package you depend on has a known security hole (CVE-2025-58181). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-4135 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/go.mod
    A package you depend on has a known security hole (CVE-2025-47914). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3503 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/go.mod
    A package you depend on has a known security hole (CVE-2025-22870). Fix: Update that package to its patched version.
  • Worth fixing GO-2025-3595 Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/go.mod
    A package you depend on has a known security hole (CVE-2025-22872). Fix: Update that package to its patched version.
  • Worth fixing GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/go.mod
    A package you depend on has a known security hole (CVE-2024-24786). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-32141). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33228). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-a9792e1a-8727-47ae-a9f3-8e1b7357a8e8/web-ui/package-lock.json
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
… 168 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: go:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.