GO-2025-3505: Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet

  GO-2026-4557: Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet

  GO-2026-4560: Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users in github.com/fleetdm/fleet

  GO-2026-4561: Fleet: Authorization Bypass in certificate template batch deletion for team administrators in github.com/fleetdm/fleet

  GO-2026-4563: Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet

  GO-2026-4564: Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet

  GO-2026-4888: Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet

  GO-2026-4889: Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet

  GO-2026-4892: A Fleet team maintainer can transfer hosts from any team via missing source team authorization in github.com/fleetdm/fleet

  GO-2026-4912: Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet

  GO-2026-4913: Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin in github.com/fleetdm/fleet

  GO-2026-4914: Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet

  GO-2026-4915: Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint in github.com/fleetdm/fleet