pkg:Go/github.com/fleetdm/fleet/v4

41 total CVEsHIGH3MEDIUM2

✅ Check your installed version

All known vulnerabilities

  • HIGH7.8CVE-2026-27806Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
    from 0, < 4.81.1
  • HIGH7.5CVE-2026-23998Fleet has a Windows MDM management endpoint authentication bypass
    from 0, < 4.81.0
  • HIGH7.5CVE-2026-23998Fleet has a Windows MDM management endpoint authentication bypass
    from 0, < 4.81.0
  • MEDIUM5.3CVE-2026-24000Fleet has a rate limiting bypass via untrusted client IP headers
    from 0, < 4.80.1
  • MEDIUM5.3CVE-2022-23600Limited ability to spoof SAML authentication with missing audience verification in Fleet
    from 0, < 4.9.1
  • CVE-2026-46356Fleet: IP spoofing allows bypassing API rate limiting
    from 0, < 4.80.1
  • CVE-2026-26191Fleet vulnerable to OS command injection in software packages
    from 0, < 4.81.1
  • CVE-2026-26062Fleet server may terminate unexpectedly when handling certain gRPC requests
    from 0, < 4.81.0
  • CVE-2026-24899Fleet Windows MDM Azure AD JWT Authentication Bypass
    from 0, < 4.82.0
  • CVE-2026-34389Fleet's user account creation via invite does not enforce invited email address
    from 0, < 4.81.0
  • CVE-2026-34389Fleet's user account creation via invite does not enforce invited email address
    from 0, < 4.81.0
  • CVE-2026-34388Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint
    from 0, < 4.81.0
  • CVE-2026-34388Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint
    from 0, < 4.81.0
  • CVE-2026-34386Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin
    from 0, < 4.81.0
  • CVE-2026-34386Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin
    from 0, < 4.81.0
  • CVE-2026-34385Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database
    from 0, < 4.81.0
  • CVE-2026-34385Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database
    from 0, < 4.81.0
  • CVE-2026-29180A Fleet team maintainer can transfer hosts from any team via missing source team authorization
    from 0, < 4.81.1
  • CVE-2026-29180A Fleet team maintainer can transfer hosts from any team via missing source team authorization
    from 0, < 4.81.1
  • CVE-2026-26061Fleet's unbounded request body read allows remote Denial of Service
    from 0
  • CVE-2026-26061Fleet's unbounded request body read allows remote Denial of Service
    from 0, < 4.43.5-0.20260113202849-bbc1aef2987d
  • CVE-2026-26060Fleet: Password reset tokens remain valid after password change for 24 hours
    from 0, < 4.43.5-0.20260113202849-bbc1aef2987d
  • CVE-2026-26060Fleet: Password reset tokens remain valid after password change for 24 hours
    from 0
  • CVE-2026-27465Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-27465Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-25963Fleet: Authorization Bypass in certificate template batch deletion for team administrators in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-25963Fleet: Authorization Bypass in certificate template batch deletion for team administrators in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-24004Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-24004Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-23999Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-23999Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-26186Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-26186Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet
    from 0, < 4.80.1
  • CVE-2026-23518Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
    >= 4.75.0, < 4.75.2, >= 4.76.0, < 4.76.2, >= 4.77.0, < 4.77.1, >= 4.78.0, < 4.78.3
  • CVE-2026-23517Fleet has an Access Control vulnerability in debug/pprof endpoints
    from 0, < 4.78.3-0.20260112221730-5c030e32a3a9
  • CVE-2026-23517Fleet has an Access Control vulnerability in debug/pprof endpoints
    >= 4.75.0, < 4.75.2, >= 4.76.0, < 4.76.2, >= 4.77.0, < 4.77.1, >= 4.78.0, < 4.78.3
  • CVE-2026-22808Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet
    from 0, < 4.43.5-0.20260111020427-0e6c790803d1
  • CVE-2026-22808Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet
    >= 4.75.0, < 4.75.2, >= 4.76.0, < 4.76.2, >= 4.77.0, < 4.77.1, >= 4.78.0, < 4.78.2
  • CVE-2025-27509Fleet has SAML authentication vulnerability due to improper SAML response validation
    from 0
  • CVE-2025-27509Fleet has SAML authentication vulnerability due to improper SAML response validation
    >= 4.64.0, < 4.64.2
  • CVE-2020-26276SAML authentication vulnerability due to stdlib XML parsing
    from 0, < 3.5.1