[Aikido] Fix 1 critical issue in google.golang.org/grpc and 13 other issues

[aikido-autofix]

Upgrade dependencies to fix critical memory-safety and authorization bypass vulnerabilities in pgx, gRPC, and Docker, plus privilege escalation and plugin hijacking issues.

✅ 14 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33816	🚨 CRITICAL	[github.com/jackc/pgx/v5] Memory-safety vulnerability in github.com/jackc/pgx/v5.
GHSA-j88v-2chj-qfwx	LOW	[github.com/jackc/pgx/v5] SQL injection vulnerability occurs when using the simple protocol with dollar-quoted string literals containing attacker-controlled placeholder-like text. This allows remote code execution through malicious SQL injection in specific query patterns.
CVE-2026-33186	🚨 CRITICAL	[google.golang.org/grpc] Improper HTTP/2 :path validation allows requests without leading slashes to bypass path-based authorization interceptors, enabling attackers to circumvent "deny" rules and access restricted gRPC methods. This authorization bypass affects servers using path-based RBAC policies with fallback "allow" rules.
CVE-2026-33997	HIGH	[github.com/docker/docker] A privilege validation bypass in plugin installation allows the daemon to incorrectly accept unapproved privilege sets due to flawed comparison logic, enabling plugins to gain unintended elevated permissions.
CVE-2026-34040	HIGH	[github.com/docker/docker] Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
CVE-2025-15558	HIGH	[github.com/docker/cli] Docker CLI on Windows searches for plugins in an unprotected default directory, allowing low-privileged attackers to place malicious plugin binaries that execute with elevated privileges, enabling privilege escalation and arbitrary code execution.
CVE-2026-24051	HIGH	[go.opentelemetry.io/otel/sdk] Path hijacking vulnerability in resource detection code allows local attackers to execute arbitrary code by manipulating the PATH environment variable on macOS systems.
CVE-2026-39883	HIGH	[go.opentelemetry.io/otel/sdk] A PATH hijacking vulnerability exists in the BSD kenv command execution, allowing attackers to execute arbitrary code by manipulating the PATH environment variable. This enables remote code execution on BSD and Solaris platforms.
AIKIDO-2025-10586	HIGH	[github.com/getkin/kin-openapi] Affected versions of this package are vulnerable to path traversal in the ReadFromFile function due to insufficient input sanitization, allowing attackers to access files outside the intended directory.
CVE-2026-35166	MEDIUM	[github.com/gohugoio/hugo] Markdown links and image links are not properly escaped in the default HTML renderer, allowing potential XSS attacks through untrusted Markdown content. This affects users who don't use custom render hooks or trust all their Markdown sources.
CVE-2025-47914	MEDIUM	[golang.org/x/crypto] SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
CVE-2025-58181	MEDIUM	[golang.org/x/crypto] SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
AIKIDO-2025-10577	LOW	[github.com/tdewolff/parse/v2] The parser fails to properly track expression nesting depth in function declarations, allowing attackers to craft deeply nested expressions that cause stack overflow and excessive resource consumption, leading to denial of service through application crashes or hangs.
CVE-2026-26958	LOW	[filippo.io/edwards25519] MultiScalarMult produces incorrect results when called on non-identity points, potentially returning invalid points that compare equal to all other points, compromising cryptographic operations. This affects advanced API users performing elliptic curve calculations.

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #220