Skip to content

Centrifugo v6.6.0 dependency vulnerabilities

Moderate
FZambia published GHSA-j9wf-6r2x-hqmx Feb 19, 2026

Package

gomod github.com/centrifugal/centrifugo/v6 (Go)

Affected versions

<6.6.1

Patched versions

6.6.1

Description

Summary

Centrifugo v6.6.0 binary is compiled with Go 1.25.5 and
statically links github.com/quic-go/webtransport-go v0.9.0, having 7 known
CVEs

Go standard library — compiled with Go 1.25.5:

CVE Severity CVSS Fixed In
CVE-2025-68121 CRITICAL 10.0 Go 1.25.7, 1.24.13
CVE-2025-61726 HIGH 7.5 Go 1.25.6, 1.24.12
CVE-2025-61728 MEDIUM 6.5 Go 1.25.6, 1.24.12
CVE-2025-61730 MEDIUM 5.3 Go 1.25.6, 1.24.12

Direct dependency github.com/quic-go/webtransport-go — pinned at v0.9.0
(go.mod line 34):

CVE Severity CVSS Fixed In
CVE-2026-21434 MEDIUM 5.3 webtransport-go v0.10.0
CVE-2026-21435 MEDIUM 5.3 webtransport-go v0.10.0
CVE-2026-21438 MEDIUM 5.3 webtransport-go v0.10.0

Severity

Moderate

CVE ID

No known CVE

Weaknesses

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate. Learn more on MITRE.

Credits