Affected by GO-2026-5906
and 17 other vulnerabilities
GO-2026-5906: Coder: User-admin role can reset owner account password in github.com/coder/coder
GO-2026-5907: Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking in github.com/coder/coder
GO-2026-5908: Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass in github.com/coder/coder
GO-2026-5909: Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID in github.com/coder/coder
GO-2026-5911: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service in github.com/coder/coder
GO-2026-5913: Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh` in github.com/coder/coder
GO-2026-5915: Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator in github.com/coder/coder
GO-2026-5916: Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service in github.com/coder/coder
GO-2026-5917: Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder
GO-2026-5918: Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder
GO-2026-5919: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component in github.com/coder/coder
GO-2026-5920: Coder's AI Bridge Proxy skips TLS certificate verification in default configuration in github.com/coder/coder
GO-2026-5921: Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder
GO-2026-5922: Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers in github.com/coder/coder
GO-2026-5923: Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write in github.com/coder/coder
GO-2026-5924: Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps in github.com/coder/coder
GO-2026-5925: Suspended Coder users retain access to AI Bridge LLM proxy endpoints in github.com/coder/coder
GO-2026-5926: Coder's sub-agent app registration bypasses template port-sharing policy enforcement in github.com/coder/coder
package
Version:
v2.34.0
Opens a new window with list of versions in this module.
Published: Jun 2, 2026
License: AGPL-3.0
Opens a new window with license information.
Imports: 8
Opens a new window with list of imports.
Imported by: 0
Opens a new window with list of known importers.
Documentation
¶
PlaintextFromMarkdown function converts the description with optional Markdown tags
to the plaintext form.
Source Files
¶
Click to show internal directories.
Click to hide internal directories.