From 02dab9ba1d0a4de2fe6752277467c6da56d3d8f8 Mon Sep 17 00:00:00 2001 From: Vladislav Date: Tue, 30 Jun 2026 11:14:05 +0300 Subject: [PATCH] fix: bump Go toolchain to 1.26.4 (CVE-2026-42504 / GO-2026-5038) Go 1.26.x before 1.26.4 is vulnerable to DoS in mime.WordDecoder.DecodeHeader (CVE-2026-42504 / GO-2026-5038). The fix was released in Go 1.26.4 on 2026-06-02. https://pkg.go.dev/vuln/GO-2026-5038 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 1847d35d5..6e4978920 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/jfrog/jfrog-cli -go 1.26.3 +go 1.26.4 replace ( // Should not be updated to 0.11.0+ due to default spec version change (1.6 -> 1.7, https://github.com/CycloneDX/cyclonedx-go/pull/257)