Go

The dasel selector lexer is vulnerable to an index-out-of-range panic when tokenizing a quoted string that ends with a trailing backslash (e.g., `"\` or `'\`), leading to a process crash if an attacker can control the selector string.

go-git may parse malformed Git objects differently than upstream Git, leading to inconsistent interpretation and potentially allowing the signing or verification of commits with altered metadata, as described in CVE-2026-45022.

A vulnerability in the go-markdown library exists where processing a malformed input containing a '<' character that is not followed by a '>' character with a SmartypantsRenderer can lead to an out-of-bounds read or a panic, causing a denial of service.