You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current sqlx release (v1.4.0) requires github.com/go-sql-driver/mysql v1.8.1, which transitively pulls in filippo.io/edwards25519 v1.1.0. That version of edwards25519 is flagged by CVE-2026-26958. Bumping the driver to v1.10.0 (current latest) resolves the flag, since go-sql-driver/mysql has already moved to a fixed edwards25519.
Details
CVE-2026-26958 affects filippo.io/edwards25519 ≤ v1.1.0: (*Point).MultiScalarMult returns an incorrect result (or undefined behavior) when the receiver is not the identity point. Fixed in v1.1.1. Severity is low (CVSS 1.7).
For full disclosure: CVE-2026-26958 explicitly states that consumers who reach edwards25519only through github.com/go-sql-driver/mysql are not affected — the driver never calls the vulnerable MultiScalarMult API. Symbol-reachability scanners such as govulncheck correctly report no vulnerability for sqlx today.
The practical issue is the many SCA/dependency scanners (Dependabot and other module-level matchers) that flag any dependency graph containing edwards25519 ≤ v1.1.0 regardless of symbol reachability. These produce recurring false positives for every project that depends on sqlx. Since go-sql-driver/mysql has already shipped a fixed version, updating the requirement here is a low-risk way to keep those downstream scans clean — it's really just keeping a direct dependency current, with the CVE noise going away as a side effect.
Suggested change
In go.mod, update github.com/go-sql-driver/mysql to v1.10.0 and run go mod tidy.
markdown### Summary
The current
sqlxrelease (v1.4.0) requiresgithub.com/go-sql-driver/mysqlv1.8.1, which transitively pulls infilippo.io/edwards25519v1.1.0. That version ofedwards25519is flagged by CVE-2026-26958. Bumping the driver to v1.10.0 (current latest) resolves the flag, since go-sql-driver/mysql has already moved to a fixededwards25519.Details
filippo.io/edwards25519≤ v1.1.0:(*Point).MultiScalarMultreturns an incorrect result (or undefined behavior) when the receiver is not the identity point. Fixed in v1.1.1. Severity is low (CVSS 1.7).go-sql-driver/mysqlv1.8.1 →edwards25519v1.1.0 (flagged).go-sql-driver/mysqlv1.10.0 →edwards25519v1.2.0 (updated to v1.1.1 in Update edwards25519 dependency to v1.1.1 go-sql-driver/mysql#1749, then bumped to v1.2.0 in #1756). Not flagged.On actual impact
For full disclosure: CVE-2026-26958 explicitly states that consumers who reach
edwards25519only throughgithub.com/go-sql-driver/mysqlare not affected — the driver never calls the vulnerableMultiScalarMultAPI. Symbol-reachability scanners such asgovulncheckcorrectly report no vulnerability forsqlxtoday.The practical issue is the many SCA/dependency scanners (Dependabot and other module-level matchers) that flag any dependency graph containing
edwards25519≤ v1.1.0 regardless of symbol reachability. These produce recurring false positives for every project that depends onsqlx. Since go-sql-driver/mysql has already shipped a fixed version, updating the requirement here is a low-risk way to keep those downstream scans clean — it's really just keeping a direct dependency current, with the CVE noise going away as a side effect.Suggested change
In
go.mod, updategithub.com/go-sql-driver/mysqltov1.10.0and rungo mod tidy.References