agentproc

package

Versions in this module

v2
Jul 7, 2026
Jul 7, 2026
Jun 30, 2026
Jun 27, 2026
Jun 17, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 11, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 8, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 2, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 29, 2026
Jun 29, 2026
Jun 27, 2026
Jun 17, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 11, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 8, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 23, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 19, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 18, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 13, 2026 GO-2026-5906 +17 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 7, 2026 GO-2026-5169 +19 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 6, 2026 GO-2026-5169 +19 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 5, 2026 GO-2026-5169 +19 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 22, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Apr 15, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Apr 8, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Apr 1, 2026 GO-2026-5169 +1 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Jun 30, 2026
Jun 27, 2026
Jun 17, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 11, 2026 GO-2026-5923
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Jun 8, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 30, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 19, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 18, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 13, 2026 GO-2026-5906 +16 more
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 28, 2026 GO-2026-5169 +18 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 14, 2026 GO-2026-5169 +18 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 24, 2026 GO-2026-5169 +18 more
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jan 29, 2025 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jan 23, 2025 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jan 18, 2025 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jan 7, 2025 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Dec 16, 2024 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Dec 3, 2024 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Dec 12, 2024 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Nov 8, 2024 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Nov 8, 2024 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Nov 4, 2024 GO-2025-3921 +17 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 24, 2024 GO-2025-3921 +16 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 1, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 28, 2024 GO-2025-3921 +16 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 8, 2024 GO-2025-3921 +16 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 8, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 1, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Sep 3, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 24, 2024 GO-2025-3921 +16 more
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Sep 5, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Aug 20, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Aug 7, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Aug 6, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Aug 20, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Aug 6, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Aug 1, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jul 23, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jul 18, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jul 2, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Aug 1, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jul 22, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jul 18, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 24, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 21, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 6, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 4, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 24, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jun 21, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 22, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 16, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 6, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
May 22, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 22, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 17, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 3, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Changes in this version
type Process
Apr 22, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 17, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Apr 5, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 19, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 12, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 9, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 4, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Feb 15, 2024 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Feb 12, 2024 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Feb 7, 2024 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Feb 7, 2024 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 4, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jan 24, 2024 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jan 22, 2024 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Jan 19, 2024 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Mar 4, 2024 GO-2024-3228 +17 more
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Dec 21, 2023 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Dec 14, 2023 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Dec 12, 2023 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Nov 17, 2023 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 30, 2023 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 20, 2023 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 17, 2023 GO-2024-2602 +18 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 11, 2023 GO-2024-2602 +17 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Oct 4, 2023 GO-2024-2602 +17 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
Sep 27, 2023 GO-2024-2602 +17 more
Alert  GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert  GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder
Alert  GO-2025-4182: Coder logs sensitive objects unsanitized in github.com/coder/coder
Alert  GO-2026-5169: Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder
Alert  GO-2026-5196: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft in github.com/coder/coder
Alert  GO-2026-5897: Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder
Alert  GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
Alert  GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
Alert  GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
Alert  GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
Alert  GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
Alert  GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
Alert  GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
Alert  GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
Alert  GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
Alert  GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
Alert  GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
Alert  GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL