github.com/rclone/rclone GO-2026-4964 lists the impacted versions as "before v1.73.5", but Grype lists the impacted version range as <1.73.5 || >=1.45.0 -- the || >= 1.45.0 causes versions with the fix (1.73.5+) to be reported as vulnerable.
> grype db search --vuln GO-2026-4964
VULNERABILITY PACKAGE ECOSYSTEM NAMESPACE VERSION CONSTRAINT
GO-2026-4964 github.com/rclone/rclone go-module govulndb:language:go <1.73.5 || >=1.45.0
The equivalent CVE has the correct version range:
> grype db search --vuln CVE-2026-41176
VULNERABILITY PACKAGE ECOSYSTEM NAMESPACE VERSION CONSTRAINT
CVE-2026-41176 cpe:2.3:a:rclone:rclone:*:*:*:*:*:go:*:* go nvd:cpe >= 1.45.0, < 1.73.5
Also commented about this in an issue on the main grype repo tracking issues with govulndb issues (anchore/grype#3510 (comment)).
github.com/rclone/rcloneGO-2026-4964 lists the impacted versions as "before v1.73.5", but Grype lists the impacted version range as<1.73.5 || >=1.45.0-- the|| >= 1.45.0causes versions with the fix (1.73.5+) to be reported as vulnerable.The equivalent CVE has the correct version range:
Also commented about this in an issue on the main grype repo tracking issues with
govulndbissues (anchore/grype#3510 (comment)).