CVE-2022-29526 & CVE-2022-29526

Hello! 👋 ,

I'm a huge fan of this project and would like to use it at my company. Unfortunately, my company requires approval before using any open source tool. In this case, we can use once two vulnerabilities are fixed. Our internal scanning tool spotted CVE-2022-28948 and CVE-2022-29526 in this repo.

Can I draft a PR to address these? I think one should be fixed by bumping the Go version to 1.18, while the other needs a bit more investigation.