golang.org/x/text which has a here vulnerability as reported here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040

Short-term and Long-term upgrade fix is available in v0.3.7

Impacted Items:
spec
loads
jsonreference

This is not an exhaustive list , there may be more