Skip to main content

Golang

113 CVEs product

Monthly

CVE-2025-9282 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9279 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23851 Go MEDIUM POC PATCH This Month

SiYuan knowledge management system versions before 3.5.4 allow authenticated users to copy arbitrary files from the server filesystem into the application workspace due to insufficient path validation in the /api/file/globalCopyFiles endpoint. An attacker with valid credentials can exploit this path traversal vulnerability to read sensitive files and escalate privileges within the application. Public exploit code exists for this medium-severity vulnerability, though a patch is available.

Golang Siyuan Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23644 Go HIGH POC PATCH This Week

Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers to write arbitrary files to the server through malicious tar archives, bypassing incomplete path sanitization. Public exploit code exists for this vulnerability. The issue stems from improper validation of absolute paths in tar file entries, enabling potential code execution or service disruption on affected systems.

Golang Github Path Traversal Esm.Sh Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22045 Go MEDIUM PATCH This Month

Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.

Golang TLS Denial Of Service Traefik Red Hat +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-66292 Go HIGH POC PATCH This Week

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. [CVSS 8.1 HIGH]

Golang Path Traversal Dpanel Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-71140 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.

Linux Golang Null Pointer Dereference Linux Kernel
NVD
EPSS
0.0%
CVE-2022-50926 CRITICAL POC Act Now

WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.

Golang Privilege Escalation
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2022-50909 HIGH POC This Week

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. [CVSS 8.8 HIGH]

Golang RCE Command Injection
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-22868 Go HIGH PATCH This Week

Go Ethereum (geth) nodes can be remotely crashed through maliciously crafted network messages, causing denial of service to affected network participants. An unauthenticated attacker on the network can exploit this vulnerability without user interaction to force vulnerable nodes offline. A patch is available in version 1.16.8 and later.

Golang Denial Of Service Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22862 Go HIGH PATCH This Week

Go Ethereum nodes can be remotely crashed by unauthenticated attackers sending specially crafted network messages, resulting in denial of service. This network-based attack requires no user interaction and affects Golang and Go Ethereum implementations prior to version 1.16.8. A patch is available to remediate this high-severity vulnerability.

Golang Denial Of Service Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68774 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it.

Linux Golang Linux Kernel
NVD VulDB
EPSS
0.1%
CVE-2026-22786 Go HIGH POC PATCH This Week

Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.

Golang Path Traversal Gin Vue Admin Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2025-40978 This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter.

Golang XSS
NVD
EPSS
0.1%
CVE-2025-40977 This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to ‘/store-ticket’, using the ‘subject’ and ‘description’ parameters.

Golang XSS
NVD
EPSS
0.1%
CVE-2025-67282 MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. [CVSS 5.4 MEDIUM]

Golang Tim Flow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22246 MEDIUM PATCH This Month

Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.

Golang Mastodon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21697 HIGH PATCH This Week

Concurrent requests in axios4go prior to version 0.6.4 trigger unsynchronized mutations to the shared HTTP client configuration, allowing attackers to manipulate transport settings, timeouts, and redirect handlers across simultaneous operations. Applications using async requests or multiple goroutines with different proxy configurations or handling sensitive credentials are vulnerable to request interception, credential leakage, or denial of service. Upgrade to version 0.6.4 or later to resolve this race condition.

Golang Race Condition Axios4go
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-14053 MEDIUM This Month

The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress Golang XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13153 MEDIUM This Month

Logo Slider WordPre versions up to 4.9.0 contains a vulnerability that allows attackers to users with the contributor role and above to perform Stored Cross-Site Scripting (CVSS 6.1).

WordPress Golang XSS PHP
NVD WPScan
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-22874 Go HIGH PATCH This Week

Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.

Golang Authentication Bypass Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-49140 Go HIGH PATCH This Week

Pion Interceptor versions v0.1.36 through v0.1.38 contain a denial-of-service vulnerability in the RTP packet factory that allows unauthenticated remote attackers to trigger application panics via crafted RTP packets with malformed padding fields. This affects all applications using the Pion interceptor library for RTP/RTCP communication, with no authentication required and low attack complexity. The vulnerability has a CVSS score of 7.5 (High) with availability impact only; no evidence of active exploitation or public POC availability is documented.

Denial Of Service Golang Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29785 Go HIGH PATCH This Week

Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.

Golang Denial Of Service Null Pointer Dereference Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

SiYuan knowledge management system versions before 3.5.4 allow authenticated users to copy arbitrary files from the server filesystem into the application workspace due to insufficient path validation in the /api/file/globalCopyFiles endpoint. An attacker with valid credentials can exploit this path traversal vulnerability to read sensitive files and escalate privileges within the application. Public exploit code exists for this medium-severity vulnerability, though a patch is available.

Golang Siyuan Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers to write arbitrary files to the server through malicious tar archives, bypassing incomplete path sanitization. Public exploit code exists for this vulnerability. The issue stems from improper validation of absolute paths in tar file entries, enabling potential code execution or service disruption on affected systems.

Golang Github Path Traversal +2
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.

Golang TLS Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. [CVSS 8.1 HIGH]

Golang Path Traversal Dpanel +1
NVD GitHub
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.

Linux Golang Null Pointer Dereference +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.

Golang Privilege Escalation
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. [CVSS 8.8 HIGH]

Golang RCE Command Injection
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Go Ethereum (geth) nodes can be remotely crashed through maliciously crafted network messages, causing denial of service to affected network participants. An unauthenticated attacker on the network can exploit this vulnerability without user interaction to force vulnerable nodes offline. A patch is available in version 1.16.8 and later.

Golang Denial Of Service Go Ethereum +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Go Ethereum nodes can be remotely crashed by unauthenticated attackers sending specially crafted network messages, resulting in denial of service. This network-based attack requires no user interaction and affects Golang and Go Ethereum implementations prior to version 1.16.8. A patch is available to remediate this high-severity vulnerability.

Golang Denial Of Service Go Ethereum +1
NVD GitHub
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it.

Linux Golang Linux Kernel
NVD VulDB
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.

Golang Path Traversal Gin Vue Admin +1
NVD GitHub
EPSS 0%
This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter.

Golang XSS
NVD
EPSS 0%
This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to ‘/store-ticket’, using the ‘subject’ and ‘description’ parameters.

Golang XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. [CVSS 5.4 MEDIUM]

Golang Tim Flow
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.

Golang Mastodon
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Concurrent requests in axios4go prior to version 0.6.4 trigger unsynchronized mutations to the shared HTTP client configuration, allowing attackers to manipulate transport settings, timeouts, and redirect handlers across simultaneous operations. Applications using async requests or multiple goroutines with different proxy configurations or handling sensitive credentials are vulnerable to request interception, credential leakage, or denial of service. Upgrade to version 0.6.4 or later to resolve this race condition.

Golang Race Condition Axios4go
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress Golang XSS +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Logo Slider WordPre versions up to 4.9.0 contains a vulnerability that allows attackers to users with the contributor role and above to perform Stored Cross-Site Scripting (CVSS 6.1).

WordPress Golang XSS +1
NVD WPScan
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.

Golang Authentication Bypass Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Pion Interceptor versions v0.1.36 through v0.1.38 contain a denial-of-service vulnerability in the RTP packet factory that allows unauthenticated remote attackers to trigger application panics via crafted RTP packets with malformed padding fields. This affects all applications using the Pion interceptor library for RTP/RTCP communication, with no authentication required and low attack complexity. The vulnerability has a CVSS score of 7.5 (High) with availability impact only; no evidence of active exploitation or public POC availability is documented.

Denial Of Service Golang Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.

Golang Denial Of Service Null Pointer Dereference +2
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy