pkg:Go/github.com/charmbracelet/soft-serve

20 total CVEsCRITICAL4HIGH6MEDIUM4

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.1CVE-2026-30832soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import
    >= 0.6.0, < 0.11.4
  • CRITICAL9.1CVE-2026-30832soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import
    >= 0.6.0, < 0.11.4
  • CRITICAL9.1CVE-2025-64522Soft Serve is vulnerable to SSRF through its Webhooks in github.com/charmbracelet/soft-serve
    from 0, < 0.11.1
  • CRITICAL9.1CVE-2025-64522Soft Serve is vulnerable to SSRF through its Webhooks in github.com/charmbracelet/soft-serve
    from 0, < 0.11.1
  • HIGH8.1CVE-2024-41956soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests in github.com/charmbracelet/soft-serve
    from 0, < 0.7.5
  • HIGH8.1CVE-2024-41956soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests in github.com/charmbracelet/soft-serve
    from 0, < 0.7.5
  • HIGH7.7CVE-2025-58355Soft Serve vulnerable to arbitrary file writing through SSH API
    from 0, < 0.10.0
  • HIGH7.7CVE-2025-58355Soft Serve vulnerable to arbitrary file writing through SSH API
    from 0, < 0.10.0
  • HIGH7.5CVE-2023-43809Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled in github.com/charmbracelet/soft-serve
    from 0, < 0.6.2
  • HIGH7.5CVE-2023-43809Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled in github.com/charmbracelet/soft-serve
    from 0, < 0.6.2
  • MEDIUM5.4CVE-2026-22253Soft Serve is missing an authorization check in LFS lock deletion
    from 0, < 0.11.2
  • MEDIUM5.4CVE-2026-22253Soft Serve is missing an authorization check in LFS lock deletion
    from 0, < 0.11.2
  • MEDIUM4.6CVE-2025-64494Soft Serve does not sanitize ANSI escape sequences in user input
    from 0, < 0.11.0
  • MEDIUM4.6CVE-2025-64494Soft Serve does not sanitize ANSI escape sequences in user input
    from 0, < 0.11.0
  • CVE-2026-33353In Soft Serve, an authenticated repo import can clone server-local private repositories
    >= 0.6.0, < 0.11.6
  • CVE-2026-33353In Soft Serve, an authenticated repo import can clone server-local private repositories
    >= 0.6.0, < 0.11.6
  • CVE-2026-24058Soft Serve Affected by an Authentication Bypass in github.com/charmbracelet/soft-serve
    from 0, < 0.11.3
  • CVE-2026-24058Soft Serve Affected by an Authentication Bypass in github.com/charmbracelet/soft-serve
    from 0, < 0.11.3
  • CVE-2025-22130Soft Serve vulnerable to path traversal attacks in github.com/charmbracelet/soft-serve
    from 0, < 0.8.2
  • CVE-2025-22130Soft Serve vulnerable to path traversal attacks in github.com/charmbracelet/soft-serve
    from 0, < 0.8.2