releaser

command

Versions in this module

v2
Jul 7, 2026
Jul 7, 2026
Jun 30, 2026
Jun 27, 2026
Jun 17, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 11, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 8, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 2, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 29, 2026
Jun 29, 2026
Jun 27, 2026
Jun 17, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 11, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 8, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 23, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 19, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 18, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 13, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 7, 2026 GO-2026-5169 +19 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 6, 2026 GO-2026-5169 +19 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 5, 2026 GO-2026-5169 +19 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 22, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Apr 15, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Apr 8, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Apr 1, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Jun 30, 2026
Jun 27, 2026
Jun 17, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 11, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 8, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 30, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 19, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 18, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 13, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 28, 2026 GO-2026-5169 +18 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 14, 2026 GO-2026-5169 +18 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 24, 2026 GO-2026-5169 +18 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL