0.0
CVE-2026-39820 - Quadratic string concatentation in consumeComment in net/mail
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
7.5
CVE-2026-42501 - Malicious module proxy can bypass checksum database in cmd/go
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versionsβ¦
0.0
CVE-2026-39823 - Bypass of meta content URL escaping causes XSS in html/template
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
0.0
CVE-2026-33811 - Crash when handling long CNAME response in net
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
0.0
CVE-2026-39826 - Escaper bypass leads to XSS in html/template
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
0.0
CVE-2026-39817 - Invoking "go tool pack" does not sanitize output paths in cmd/go
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
0.0
CVE-2026-39819 - Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
0.0
CVE-2026-42499 - Quadratic string concatenation in consumePhrase in net/mail
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
0.0
CVE-2026-39825 - ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReversePrβ¦
0.0
CVE-2026-39836 - Panic in Dial and LookupPort when handling NUL byte on Windows in net
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).