Skip to main content

Go

124 CVEs product

Monthly

CVE-2026-27142 Go MEDIUM PATCH This Month

HTML meta tags with http-equiv="refresh" attributes fail to properly escape URLs inserted through certain actions, enabling cross-site scripting (XSS) attacks against applications using this functionality. An unauthenticated attacker can exploit this to execute arbitrary JavaScript in users' browsers by crafting malicious URLs. No patch is currently available, though a GODEBUG setting (htmlmetacontenturlescape=0) can be configured as a temporary mitigation.

XSS Go
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27139 Go LOW PATCH Monitor

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. [CVSS 2.5 LOW]

Path Traversal Go
NVD VulDB
CVSS 3.1
2.5
EPSS
0.0%
CVE-2026-27138 Go MEDIUM PATCH This Month

DNS certificate verification can crash in systems handling X.509 certificate chains when processing certificates with empty DNS names paired with excluded name constraints, affecting applications performing direct certificate validation or using TLS. This denial of service condition requires no authentication or user interaction but depends on specific certificate chain configurations. No patch is currently available for this vulnerability.

Denial Of Service Go
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-27137 Go HIGH PATCH This Week

X.509 certificate chain validation in Go 1.26.0 improperly enforces email address constraints when multiple constraints share local parts but differ in domain parts, causing all but the last constraint to be ignored. This CWE-295 (Improper Certificate Validation) flaw allows attackers to bypass intended certificate usage restrictions through specially crafted certificate chains, potentially enabling unauthorized access to services relying on Go's TLS implementation for email-based certificate validation. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Go
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25679 Go HIGH PATCH This Week

Denial of service in Go's net/url package allows remote unauthenticated attackers to crash applications via malformed URLs with invalid host/authority components. The url.Parse function fails to properly validate authority sections, enabling resource exhaustion attacks against any Go application parsing untrusted URLs. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation despite the network attack vector. Vendor patch available with multiple Red Hat security advisories issued.

Information Disclosure Go
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68121 Go CRITICAL POC PATCH Act Now

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mutated between creating the config and resuming a session, the TLS stack uses the modified trust store, potentially accepting certificates from unintended CAs. CVSS 10.0, PoC available, patch available.

Information Disclosure Go
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-61732 Go HIGH PATCH This Week

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. [CVSS 8.6 HIGH]

Go Code Injection RCE
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-22873 Go LOW PATCH Monitor

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. [CVSS 3.8 LOW]

Path Traversal Go
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-68119 Go HIGH PATCH This Week

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. [CVSS 7.0 HIGH]

Buffer Overflow RCE Go Red Hat Suse
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-61731 Go HIGH PATCH This Week

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. [CVSS 7.8 HIGH]

Go Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-61730 Go MEDIUM PATCH This Month

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. [CVSS 5.3 MEDIUM]

TLS Information Disclosure Go Suse Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-61728 Go MEDIUM POC PATCH This Month

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. [CVSS 6.5 MEDIUM]

Denial Of Service Go Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-61726 Go HIGH POC PATCH This Week

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. [CVSS 7.5 HIGH]

Denial Of Service Go
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-61727 Go MEDIUM PATCH This Month

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Information Disclosure Ubuntu Debian Go Red Hat +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-61729 Go HIGH PATCH This Week

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Information Disclosure Ubuntu Debian Go Red Hat +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-47906 Go MEDIUM POC PATCH This Month

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Go Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-47907 Go HIGH PATCH This Month

Cancelling a query (e.g. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Race Condition Go Red Hat Suse
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-0913 Go MEDIUM PATCH This Month

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Microsoft Information Disclosure Ubuntu Debian Go +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2023-45285 Go HIGH PATCH This Week

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-39326 Go MEDIUM PATCH This Month

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2023-45287 Go HIGH PATCH This Week

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-49292 Go MEDIUM POC PATCH This Month

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Go
NVD GitHub
CVSS 3.1
4.8
EPSS
0.3%
CVE-2023-45284 Go MEDIUM PATCH This Month

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Go
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2023-45283 Go HIGH PATCH This Week

The filepath package does not recognize paths with a \??\ prefix as special. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Microsoft Go
NVD
CVSS 3.1
7.5
EPSS
2.8%
CVE-2023-39325 Go HIGH PATCH This Week

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Http2 Fedora Astra Trident +1
NVD
CVSS 3.1
7.5
EPSS
3.8%
CVE-2023-39323 Go HIGH PATCH This Week

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

RCE Go Fedora
NVD
CVSS 3.1
8.1
EPSS
1.8%
CVE-2023-39322 Go HIGH PATCH This Week

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-39321 Go HIGH PATCH This Week

Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-39320 Go CRITICAL PATCH Act Now

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Go
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-39319 Go MEDIUM PATCH This Month

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Go
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2023-39318 Go MEDIUM PATCH This Month

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Go
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2023-29409 Go MEDIUM PATCH This Month

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Go
NVD
CVSS 3.1
5.3
EPSS
1.3%
CVE-2023-29406 Go MEDIUM PATCH This Month

The HTTP/1 client does not fully validate the contents of the Host header. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Go
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2023-29405 Go CRITICAL PATCH Act Now

The go command may execute arbitrary code at build time when using cgo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Go Fedora
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-29404 Go CRITICAL PATCH Act Now

The go command may execute arbitrary code at build time when using cgo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Go Fedora
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2023-29403 Go HIGH PATCH This Week

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Information Disclosure Go Fedora
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2023-29402 Go CRITICAL PATCH Act Now

The go command may generate unexpected code at build time when using cgo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Go Fedora
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-29400 Go HIGH PATCH This Week

Templates containing actions in unquoted HTML attributes (e.g. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Go
NVD
CVSS 3.1
7.3
EPSS
1.0%
CVE-2023-24540 Go CRITICAL PATCH Act Now

Not all valid JavaScript whitespace characters are considered to be whitespace. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Go
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-24539 Go HIGH PATCH This Week

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Go
NVD
CVSS 3.1
7.3
EPSS
1.0%
CVE-2023-24538 Go CRITICAL PATCH Act Now

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Google Go
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2023-24537 Go HIGH PATCH This Week

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-24536 Go HIGH PATCH This Week

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-24534 Go HIGH PATCH This Week

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2023-24532 Go MEDIUM PATCH This Month

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2022-41717 Go MEDIUM PATCH This Month

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go Http2 Fedora
NVD
CVSS 3.1
5.3
EPSS
5.6%
CVE-2022-41720 Go HIGH PATCH This Week

On Windows, restricted files can be accessed via os.DirFS and http.Dir. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Microsoft Go
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-41716 Go HIGH PATCH This Week

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-41715 Go HIGH PATCH This Week

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-2880 Go HIGH POC PATCH This Week

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-2879 Go HIGH PATCH This Week

Reader.Read does not set a limit on the maximum size of file headers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2022-32190 Go HIGH PATCH This Week

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Go
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-27664 Go HIGH PATCH This Week

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Fedora
NVD
CVSS 3.1
7.5
EPSS
2.6%
CVE-2022-32189 Go HIGH POC PATCH This Week

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2022-32148 Go MEDIUM POC PATCH This Month

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Go
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2022-30635 Go HIGH PATCH This Week

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-30633 Go HIGH PATCH This Week

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-30632 Go HIGH PATCH This Week

Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-30631 Go HIGH PATCH This Week

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-30630 Go HIGH PATCH This Week

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-30629 Go LOW POC PATCH Monitor

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Go
NVD
CVSS 3.1
3.1
EPSS
0.9%
CVE-2022-30580 Go HIGH PATCH This Week

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

RCE Code Injection Go
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2022-29804 Go HIGH PATCH This Week

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Path Traversal Go
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2022-28131 Go HIGH PATCH This Week

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Fedora Cloud Insights Telegraf
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2022-1962 Go MEDIUM POC PATCH This Month

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Go
NVD
CVSS 3.1
5.5
EPSS
0.9%
CVE-2022-1705 Go MEDIUM POC PATCH This Month

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2022-30634 Go HIGH POC PATCH This Week

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Microsoft Go Cloud Insights Telegraf Agent
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2022-29526 Go MEDIUM POC PATCH This Month

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Go Fedora Beegfs Csi Driver
NVD GitHub
CVSS 3.1
5.3
EPSS
2.6%
CVE-2022-28327 Go HIGH PATCH This Week

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Extra Packages For Enterprise Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
4.2%
CVE-2022-27536 Go HIGH PATCH This Week

Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-24675 Go HIGH PATCH This Week

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Go Fedora Kubernetes Monitoring Operator
NVD
CVSS 3.1
7.5
EPSS
10.0%
CVE-2022-24921 Go HIGH PATCH This Week

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Astra Trident Debian Linux
NVD
CVSS 3.1
7.5
EPSS
3.3%
CVE-2021-41772 Go HIGH PATCH This Week

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Fedora Timesten In Memory Database
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-41771 Go HIGH PATCH This Week

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Go Fedora Debian Linux
NVD
CVSS 3.1
7.5
EPSS
4.4%
CVE-2021-38297 Go CRITICAL PATCH Act Now

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Go Fedora
NVD
CVSS 3.1
9.8
EPSS
10.3%
CVE-2021-36221 Go MEDIUM PATCH This Month

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Race Condition Go Fedora Debian Linux +2
NVD
CVSS 3.1
5.9
EPSS
3.1%
CVE-2021-29923 HIGH POC PATCH This Week

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Go Timesten In Memory Database Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
3.8%
CVE-2021-33198 Go HIGH POC PATCH This Week

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Go
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2021-33197 Go MEDIUM POC PATCH This Month

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Go
NVD
CVSS 3.1
5.3
EPSS
2.3%
CVE-2021-33196 Go HIGH POC PATCH This Week

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Go Debian Linux
NVD
CVSS 3.1
7.5
EPSS
3.5%
CVE-2021-33195 Go HIGH POC PATCH This Week

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Go Cloud Insights Telegraf Agent
NVD
CVSS 3.1
7.3
EPSS
3.2%
CVE-2021-34558 Go MEDIUM PATCH This Month

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Go Fedora Cloud Insights Telegraf +3
NVD
CVSS 3.1
6.5
EPSS
7.0%
CVE-2021-31525 Go MEDIUM PATCH This Month

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Denial Of Service Go Fedora
NVD GitHub
CVSS 3.1
5.9
EPSS
3.7%
CVE-2021-33194 Go HIGH PATCH This Week

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Go Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
7.3%
CVE-2021-27919 Go MEDIUM PATCH This Month

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Fedora
NVD
CVSS 3.1
5.5
EPSS
1.5%
CVE-2021-27918 Go HIGH PATCH This Week

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go
NVD
CVSS 3.1
7.5
EPSS
2.5%
CVE-2021-3115 Go HIGH PATCH This Week

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Command Injection RCE Go Fedora +2
NVD
CVSS 3.1
7.5
EPSS
6.5%
CVE-2021-3114 Go MEDIUM PATCH This Month

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go Fedora Debian Linux Cloud Insights Telegraf Agent +1
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2020-29511 MEDIUM This Month

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Go Trident
NVD GitHub
CVSS 3.1
5.6
EPSS
1.9%
CVE-2020-29510 MEDIUM This Month

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Go Trident
NVD GitHub
CVSS 3.1
5.6
EPSS
2.0%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTML meta tags with http-equiv="refresh" attributes fail to properly escape URLs inserted through certain actions, enabling cross-site scripting (XSS) attacks against applications using this functionality. An unauthenticated attacker can exploit this to execute arbitrary JavaScript in users' browsers by crafting malicious URLs. No patch is currently available, though a GODEBUG setting (htmlmetacontenturlescape=0) can be configured as a temporary mitigation.

XSS Go
NVD VulDB
EPSS 0% CVSS 2.5
LOW PATCH Monitor

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. [CVSS 2.5 LOW]

Path Traversal Go
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

DNS certificate verification can crash in systems handling X.509 certificate chains when processing certificates with empty DNS names paired with excluded name constraints, affecting applications performing direct certificate validation or using TLS. This denial of service condition requires no authentication or user interaction but depends on specific certificate chain configurations. No patch is currently available for this vulnerability.

Denial Of Service Go
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

X.509 certificate chain validation in Go 1.26.0 improperly enforces email address constraints when multiple constraints share local parts but differ in domain parts, causing all but the last constraint to be ignored. This CWE-295 (Improper Certificate Validation) flaw allows attackers to bypass intended certificate usage restrictions through specially crafted certificate chains, potentially enabling unauthorized access to services relying on Go's TLS implementation for email-based certificate validation. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Go
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Go's net/url package allows remote unauthenticated attackers to crash applications via malformed URLs with invalid host/authority components. The url.Parse function fails to properly validate authority sections, enabling resource exhaustion attacks against any Go application parsing untrusted URLs. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation despite the network attack vector. Vendor patch available with multiple Red Hat security advisories issued.

Information Disclosure Go
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mutated between creating the config and resuming a session, the TLS stack uses the modified trust store, potentially accepting certificates from unintended CAs. CVSS 10.0, PoC available, patch available.

Information Disclosure Go
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. [CVSS 8.6 HIGH]

Go Code Injection RCE
NVD VulDB
EPSS 0% CVSS 3.8
LOW PATCH Monitor

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. [CVSS 3.8 LOW]

Path Traversal Go
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. [CVSS 7.0 HIGH]

Buffer Overflow RCE Go +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. [CVSS 7.8 HIGH]

Go Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. [CVSS 5.3 MEDIUM]

TLS Information Disclosure Go +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. [CVSS 6.5 MEDIUM]

Denial Of Service Go Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. [CVSS 7.5 HIGH]

Denial Of Service Go
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Information Disclosure Ubuntu Debian +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Information Disclosure Ubuntu Debian +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Go Red Hat +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Month

Cancelling a query (e.g. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Race Condition Go +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Microsoft Information Disclosure Ubuntu +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go
NVD
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Go
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Go
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

The filepath package does not recognize paths with a \??\ prefix as special. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Microsoft Go
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Http2 +3
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

RCE Go Fedora
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Go
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Go
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Go
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Go
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Go
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The HTTP/1 client does not fully validate the contents of the Host header. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Go
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The go command may execute arbitrary code at build time when using cgo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Go Fedora
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The go command may execute arbitrary code at build time when using cgo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Go +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Information Disclosure Go Fedora
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The go command may generate unexpected code at build time when using cgo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Go +1
NVD
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Templates containing actions in unquoted HTML attributes (e.g. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Go
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Not all valid JavaScript whitespace characters are considered to be whitespace. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Go
NVD
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Go
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Google +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Denial Of Service Go
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Go
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 6% CVSS 5.3
MEDIUM PATCH This Month

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go Http2 +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

On Windows, restricted files can be accessed via os.DirFS and http.Dir. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Microsoft Go
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Go
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Go
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Reader.Read does not set a limit on the maximum size of file headers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Go
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Fedora
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Go
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Go
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go
NVD
EPSS 1% CVSS 3.1
LOW POC PATCH Monitor

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Go
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

RCE Code Injection Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Path Traversal Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Fedora +1
NVD
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Go
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Microsoft Go +1
NVD
EPSS 3% CVSS 5.3
MEDIUM POC PATCH This Month

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Go Fedora +1
NVD GitHub
EPSS 4% CVSS 7.5
HIGH PATCH This Week

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Extra Packages For Enterprise Linux +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Go
NVD
EPSS 10% CVSS 7.5
HIGH PATCH This Week

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Go Fedora +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Astra Trident +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Go Fedora +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Go Fedora +1
NVD
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Go Fedora
NVD
EPSS 3% CVSS 5.9
MEDIUM PATCH This Month

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Race Condition Go +4
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Go Timesten In Memory Database +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Go
NVD
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Go
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Go Debian Linux
NVD
EPSS 3% CVSS 7.3
HIGH POC PATCH This Week

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Go Cloud Insights Telegraf Agent
NVD
EPSS 7% CVSS 6.5
MEDIUM PATCH This Month

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Go +5
NVD
EPSS 4% CVSS 5.9
MEDIUM PATCH This Month

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Denial Of Service Go Fedora
NVD GitHub
EPSS 7% CVSS 7.5
HIGH PATCH This Week

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Go Fedora
NVD GitHub
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go Fedora
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Go
NVD
EPSS 6% CVSS 7.5
HIGH PATCH This Week

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Command Injection RCE +4
NVD
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Go Fedora +3
NVD GitHub
EPSS 2% CVSS 5.6
MEDIUM This Month

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Go Trident
NVD GitHub
EPSS 2% CVSS 5.6
MEDIUM This Month

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Go Trident
NVD GitHub
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy