Is github.com/osrg/gobgp affected by CVE-2026-30405?

Go github.com/osrg/gobgp is affected in >=0.

Is CVE-2026-30405 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

medium

CVE-2026-30405

Go · github.com/osrg/gobgp • Go · github.com/osrg/gobgp/v3 • Go · github.com/osrg/gobgp/v4

Summary

GoBGP vulnerable to a denial of service via the NEXT_HOP path attribute in github.com/osrg/gobgp

Severity: medium
EPSS: 0.3% (p25)
Also known as: GHSA-4p9m-8gc4-rw2h, GO-2026-4736, GO-2026-4736#github.com/osrg/gobgp, GO-2026-4736#github.com/osrg/gobgp/v3, GO-2026-4736#github.com/osrg/gobgp/v4
Published: 2026-04-07

References

https://github.com/advisories/GHSA-4p9m-8gc4-rw2h
https://github.com/osrg/gobgp/commit/583080a7258e22cc884162e15b078771aa2c2c80
https://github.com/osrg/gobgp/issues/3305

Related advisories

CVE-2026-7737 — medium · Go/github.com/osrg/gobgp

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.