{"id":"GO-2026-5255","summary":"nebula-mesh: Decrypted CA private key persists in heap after signing in github.com/forgekeep/nebula-mesh","details":"nebula-mesh: Decrypted CA private key persists in heap after signing in github.com/forgekeep/nebula-mesh","aliases":["CVE-2026-48025","GHSA-8h84-fhqq-q58v"],"modified":"2026-06-25T19:45:22.853334296Z","published":"2026-06-25T18:43:15Z","database_specific":{"review_status":"UNREVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-5255"},"references":[{"type":"ADVISORY","url":"https://github.com/juev/nebula-mesh/security/advisories/GHSA-8h84-fhqq-q58v"},{"type":"FIX","url":"https://github.com/forgekeep/nebula-mesh/commit/bca1d5914fbaf3517d3b86145a802c00de4a8122"},{"type":"WEB","url":"https://github.com/forgekeep/nebula-mesh/releases/tag/v0.3.7"}],"affected":[{"package":{"name":"github.com/forgekeep/nebula-mesh","ecosystem":"Go","purl":"pkg:golang/github.com/forgekeep/nebula-mesh"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.7"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-5255.json"}}],"schema_version":"1.7.5"}