Github.Com Centrifugal Centrifugo V6 vulnerabilities
2 known vulnerabilities affecting github.com/centrifugal_centrifugo_v6.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1
Vulnerabilities
Page 1 of 1
CVE-2026-32301CRITICAL≥ 0, < 6.7.02026-03-13
CVE-2026-32301 [CRITICAL] CWE-918 Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
### Summary
Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. `{{tenant}}`). An unauthenticated attacker can craft a JWT with a malicious `iss` or `aud` claim value that gets interpolated into the J
ghsaosv
CVE-2025-68121HIGHCVSS 7.5≥ 0, < 6.6.12026-02-19
CVE-2025-68121 [HIGH] CWE-1395 Centrifugo v6.6.0 dependency vulnerabilities
Centrifugo v6.6.0 dependency vulnerabilities
### Summary
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5
ghsaosv