Skip to content

[HIGH] fix: CVE-2026-32287 — bump github.com/antchfx/xpath#78

Open
Pattern Security Automation (pattern-security-automation) wants to merge 1 commit into
mainfrom
fix/wiz-cve-2026-32287-3e128ceb
Open

[HIGH] fix: CVE-2026-32287 — bump github.com/antchfx/xpath#78
Pattern Security Automation (pattern-security-automation) wants to merge 1 commit into
mainfrom
fix/wiz-cve-2026-32287-3e128ceb

Conversation

@pattern-security-automation

Supply Chain Vulnerability — Auto-Remediation PR

This PR was automatically generated by Pattern Security Automation.
Please review the dependency change and ensure CI passes before merging.


CVE Details

Field Value
CVE CVE-2026-32287
Severity HIGH
Repository patterninc/caterpillar
Vulnerable package github.com/antchfx/xpath
Fixed version 1.3.6
Dependency type Direct
Previous version v1.3.5
Language go

What Changed

github.com/antchfx/xpath: v1.3.51.3.6

  • go.mod

Lock File Status

Lock file update failed — manual regen required

CI Validation

This PR relies on the repository's existing CI pipeline to validate that the
dependency update does not break tests. Please ensure all checks pass before merging.

False positive?

If you've reviewed this and the CVE is not actually exploitable here, add the
wiz-false-positive label to this PR before closing it. The auto-remediation
pipeline will record the false positive, stop re-flagging this CVE, and (if enabled)
mark it rejected in Wiz.

References


Auto-generated by Pattern Security Automation

CVE: CVE-2026-32287
Component: github.com/antchfx/xpath
Fixed version: 1.3.6
Manifest: go.mod
Dependency type: direct

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR remediates CVE-2026-32287 by bumping the Go module dependency github.com/antchfx/xpath to the reported fixed version to reduce supply-chain risk.

Changes:

  • Bump github.com/antchfx/xpath from v1.3.5 to v1.3.6 in go.mod.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
github.com/DataDog/zstd v1.5.7 // indirect
github.com/antchfx/xpath v1.3.5 // indirect
github.com/antchfx/xpath v1.3.6 // indirect
Comment thread go.mod
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
github.com/DataDog/zstd v1.5.7 // indirect
github.com/antchfx/xpath v1.3.5 // indirect
github.com/antchfx/xpath v1.3.6 // indirect
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants