diff --git a/vuln/go.mod b/vuln/go.mod
new file mode 100644
index 0000000..0e401db
--- /dev/null
+++ b/vuln/go.mod
@@ -0,0 +1,16 @@
+module golang.org/vuln
+
+go 1.22
+
+require (
+	// This version has one vulnerability that is imported, and
+	// one that is called.
+	github.com/tidwall/gjson v1.6.5
+	// This version has a vulnerability that is called.
+	golang.org/x/text v0.3.0
+)
+
+require (
+	github.com/tidwall/match v1.1.0 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+)
diff --git a/vuln/go.sum b/vuln/go.sum
new file mode 100644
index 0000000..a1d8fcd
--- /dev/null
+++ b/vuln/go.sum
@@ -0,0 +1,10 @@
+github.com/tidwall/gjson v1.6.5 h1:P/K9r+1pt9AK54uap7HcoIp6T3a7AoMg3v18tUis+Cg=
+github.com/tidwall/gjson v1.6.5/go.mod h1:zeFuBCIqD4sN/gmqBzZ4j7Jd6UcA2Fc56x7QFsv+8fI=
+github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/match v1.1.0 h1:VfI2e2aXLvytih7WUVyO9uvRC+RcXlaTrMbHuQWnFmk=
+github.com/tidwall/match v1.1.0/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.0.2/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/vuln/subdir/subdir.go b/vuln/subdir/subdir.go
new file mode 100644
index 0000000..71cd2ae
--- /dev/null
+++ b/vuln/subdir/subdir.go
@@ -0,0 +1,9 @@
+package subdir
+
+import (
+	"golang.org/x/text/language"
+)
+
+func Foo() {
+	language.Parse("")
+}
diff --git a/vuln/vuln.go b/vuln/vuln.go
new file mode 100644
index 0000000..3a9ac57
--- /dev/null
+++ b/vuln/vuln.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"encoding/pem"
+	"fmt"
+
+	"github.com/tidwall/gjson"
+	"golang.org/x/text/language"
+)
+
+func main() {
+	fmt.Println("hello")
+	language.Parse("")
+	gjson.Result{}.Get("")
+	_, _ = pem.Decode([]byte("test"))
+}