Skip to main content

Cmd Go

3 CVEs product

Monthly

CVE-2026-39817 Go MEDIUM PATCH This Month

The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.

Buffer Overflow Memory Corruption Cmd Go
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39819 Go MEDIUM PATCH This Month

The Go toolchain's 'go bug' command creates temporary files with predictable names in the system temporary directory, allowing local attackers with temporary directory access to create symlinks that cause arbitrary file overwrite. Affects Go 1.26.0 through 1.26.2 and 1.25.0 through 1.25.9. While CVSS 5.3 and EPSS 0.01% suggest moderate local impact, the vulnerability enables information disclosure and integrity compromise of arbitrary files via symlink redirection, confirmed patched in Go 1.26.3 and 1.25.10.

Information Disclosure Cmd Go
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27140 Go HIGH PATCH NEWS This Week

Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.

RCE Authentication Bypass Cmd Go
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.

Buffer Overflow Memory Corruption Cmd Go
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Go toolchain's 'go bug' command creates temporary files with predictable names in the system temporary directory, allowing local attackers with temporary directory access to create symlinks that cause arbitrary file overwrite. Affects Go 1.26.0 through 1.26.2 and 1.25.0 through 1.25.9. While CVSS 5.3 and EPSS 0.01% suggest moderate local impact, the vulnerability enables information disclosure and integrity compromise of arbitrary files via symlink redirection, confirmed patched in Go 1.26.3 and 1.25.10.

Information Disclosure Cmd Go
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.

RCE Authentication Bypass Cmd Go
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy