Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-06-10 01:14

Modified

2026-06-09 06:14

Summary

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU

Details

Multiple security vulnerabilities affect the nats-streaming package. Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. See references for individual vulnerability details.

Severity

9.8 (Critical)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2026-27145	WEB
	https://osv.dev/vulnerability/CVE-2026-33811	WEB
	https://osv.dev/vulnerability/CVE-2026-33814	WEB
	https://osv.dev/vulnerability/CVE-2026-39817	WEB
	https://osv.dev/vulnerability/CVE-2026-39819	WEB
	https://osv.dev/vulnerability/CVE-2026-39820	WEB
	https://osv.dev/vulnerability/CVE-2026-39823	WEB
	https://osv.dev/vulnerability/CVE-2026-39824	WEB
	https://osv.dev/vulnerability/CVE-2026-39825	WEB
	https://osv.dev/vulnerability/CVE-2026-39826	WEB
	https://osv.dev/vulnerability/CVE-2026-39827	WEB
	https://osv.dev/vulnerability/CVE-2026-39828	WEB
	https://osv.dev/vulnerability/CVE-2026-39829	WEB
	https://osv.dev/vulnerability/CVE-2026-39830	WEB
	https://osv.dev/vulnerability/CVE-2026-39831	WEB
	https://osv.dev/vulnerability/CVE-2026-39832	WEB
	https://osv.dev/vulnerability/CVE-2026-39833	WEB
	https://osv.dev/vulnerability/CVE-2026-39834	WEB
	https://osv.dev/vulnerability/CVE-2026-39835	WEB
	https://osv.dev/vulnerability/CVE-2026-39836	WEB
	https://osv.dev/vulnerability/CVE-2026-42499	WEB
	https://osv.dev/vulnerability/CVE-2026-42501	WEB
	https://osv.dev/vulnerability/CVE-2026-42504	WEB
	https://osv.dev/vulnerability/CVE-2026-42507	WEB
	https://osv.dev/vulnerability/CVE-2026-42508	WEB
	https://osv.dev/vulnerability/CVE-2026-46595	WEB
	https://osv.dev/vulnerability/CVE-2026-46597	WEB
	https://osv.dev/vulnerability/CVE-2026-46598	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27145	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33811	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33814	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39817	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39819	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39820	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39823	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39824	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39825	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39826	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39827	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39828	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39829	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39830	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39831	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39832	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39833	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39834	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39835	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39836	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42499	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42501	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42504	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42507	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42508	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46595	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46597	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46598	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "nats-streaming"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.6-r1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the nats-streaming package. Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-CP20786",
  "modified": "2026-06-09T06:14:32Z",
  "published": "2026-06-10T01:14:55.975405Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-CP20786.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27145"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33811"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33814"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39817"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39819"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39820"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39823"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39824"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39825"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39826"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39827"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39829"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39830"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39831"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39832"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39833"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39834"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39835"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39836"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42499"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42501"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42504"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42507"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42508"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46595"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46597"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46598"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27145"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33814"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39817"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39819"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39823"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39824"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39825"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39826"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39827"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39829"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39830"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39831"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39833"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39834"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39835"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39836"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42501"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42504"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42507"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42508"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46595"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46597"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46598"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU",
  "upstream": [
    "CVE-2026-27145",
    "CVE-2026-33811",
    "CVE-2026-33814",
    "CVE-2026-39817",
    "CVE-2026-39819",
    "CVE-2026-39820",
    "CVE-2026-39823",
    "CVE-2026-39824",
    "CVE-2026-39825",
    "CVE-2026-39826",
    "CVE-2026-39827",
    "CVE-2026-39828",
    "CVE-2026-39829",
    "CVE-2026-39830",
    "CVE-2026-39831",
    "CVE-2026-39832",
    "CVE-2026-39833",
    "CVE-2026-39834",
    "CVE-2026-39835",
    "CVE-2026-39836",
    "CVE-2026-42499",
    "CVE-2026-42501",
    "CVE-2026-42504",
    "CVE-2026-42507",
    "CVE-2026-42508",
    "CVE-2026-46595",
    "CVE-2026-46597",
    "CVE-2026-46598"
  ]
}

CVE-2026-27145 (GCVE-0-2026-27145)

Vulnerability from cvelistv5 – Published: 2026-06-02 22:01 – Updated: 2026-06-04 12:34

Title

Inefficient candidate hostname parsing in crypto/x509

Summary

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/783621
https://go.dev/issue/79694
https://groups.google.com/g/golang-announce/c/tKs…
https://pkg.go.dev/vuln/GO-2026-5037

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.11 (semver) Affected: 1.26.0-0 , < 1.26.4 (semver)

Credits

Jakub Ciolek - https://ciolek.dev/

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T12:34:03.859208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T12:34:53.136Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "HostnameError.Error"
            },
            {
              "name": "matchHostnames"
            },
            {
              "name": "Certificate.Verify"
            },
            {
              "name": "Certificate.VerifyHostname"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.4",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, \".\") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname\u0027s label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T22:01:36.954Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/783621"
        },
        {
          "url": "https://go.dev/issue/79694"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5037"
        }
      ],
      "title": "Inefficient candidate hostname parsing in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27145",
    "datePublished": "2026-06-02T22:01:36.954Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-06-04T12:34:53.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33811 (GCVE-0-2026-33811)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:25

Title

Crash when handling long CNAME response in net

Summary

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-415 - Double Free

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78803
https://go.dev/cl/767860
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4981

Impacted products

1 product

Vendor	Product	Version
Go standard library	net	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

hamayanhamayan

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33811",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T14:25:39.702568Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T14:25:43.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net",
          "product": "net",
          "programRoutines": [
            {
              "name": "cgoResSearch"
            },
            {
              "name": "LookupCNAME"
            },
            {
              "name": "Resolver.LookupCNAME"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "hamayanhamayan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-415: Double Free",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:19.285Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78803"
        },
        {
          "url": "https://go.dev/cl/767860"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4981"
        }
      ],
      "title": "Crash when handling long CNAME response in net"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33811",
    "datePublished": "2026-05-07T19:41:19.285Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-08T14:25:43.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33814 (GCVE-0-2026-33814)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 18:01

Title

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

Summary

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

References

5 references

URL	Tags
https://go.dev/cl/761581
https://go.dev/cl/761640
https://go.dev/issue/78476
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4918

Impacted products

2 products

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/http2	Affected: 0 , < 0.53.0 (semver)
Go standard library	net/http	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

Marwan Atia (marwansamir688@gmail.com)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33814",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T18:00:53.951676Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T18:01:02.989Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/http2",
          "product": "golang.org/x/net/http2",
          "programRoutines": [
            {
              "name": "clientConnReadLoop.processSettingsNoWrite"
            },
            {
              "name": "Transport.NewClientConn"
            },
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "Transport.RoundTripOpt"
            },
            {
              "name": "clientConnPool.GetClientConn"
            },
            {
              "name": "noDialClientConnPool.GetClientConn"
            },
            {
              "name": "noDialH2RoundTripper.NewClientConn"
            },
            {
              "name": "noDialH2RoundTripper.RoundTrip"
            },
            {
              "name": "unencryptedTransport.RoundTrip"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.53.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http",
          "product": "net/http",
          "programRoutines": [
            {
              "name": "http2clientConnReadLoop.processSettingsNoWrite"
            },
            {
              "name": "Client.CloseIdleConnections"
            },
            {
              "name": "Client.Do"
            },
            {
              "name": "Client.Get"
            },
            {
              "name": "Client.Head"
            },
            {
              "name": "Client.Post"
            },
            {
              "name": "Client.PostForm"
            },
            {
              "name": "ClientConn.Close"
            },
            {
              "name": "ClientConn.RoundTrip"
            },
            {
              "name": "Get"
            },
            {
              "name": "Head"
            },
            {
              "name": "Post"
            },
            {
              "name": "PostForm"
            },
            {
              "name": "Transport.CloseIdleConnections"
            },
            {
              "name": "Transport.NewClientConn"
            },
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "http1ClientConn.Close"
            },
            {
              "name": "http1ClientConn.RoundTrip"
            },
            {
              "name": "http2Transport.NewClientConn"
            },
            {
              "name": "http2Transport.RoundTrip"
            },
            {
              "name": "http2Transport.RoundTripOpt"
            },
            {
              "name": "http2clientConnPool.GetClientConn"
            },
            {
              "name": "http2noDialClientConnPool.GetClientConn"
            },
            {
              "name": "http2noDialH2RoundTripper.NewClientConn"
            },
            {
              "name": "http2noDialH2RoundTripper.RoundTrip"
            },
            {
              "name": "http2unencryptedTransport.RoundTrip"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marwan Atia (marwansamir688@gmail.com)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:17.631Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/761581"
        },
        {
          "url": "https://go.dev/cl/761640"
        },
        {
          "url": "https://go.dev/issue/78476"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4918"
        }
      ],
      "title": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33814",
    "datePublished": "2026-05-07T19:41:17.631Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-08T18:01:02.989Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39817 (GCVE-0-2026-39817)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:29

Title

Invoking "go tool pack" does not sanitize output paths in cmd/go

Summary

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

Severity

5.9 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78778
https://go.dev/cl/767520
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4979

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/go	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

Harshit Gupta (Mr HAX)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.9,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39817",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T16:58:23.255142Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T21:29:47.246Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Harshit Gupta (Mr HAX)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The \"go tool pack\" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the \"pack\" subcommand can write files to arbitrary locations on the filesystem."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:18.993Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78778"
        },
        {
          "url": "https://go.dev/cl/767520"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4979"
        }
      ],
      "title": "Invoking \"go tool pack\" does not sanitize output paths in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39817",
    "datePublished": "2026-05-07T19:41:18.993Z",
    "dateReserved": "2026-04-07T18:13:03.524Z",
    "dateUpdated": "2026-05-08T21:29:47.246Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39819 (GCVE-0-2026-39819)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:29

Title

Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go

Summary

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-377 - Insecure Temporary File

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78584
https://go.dev/cl/763882
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4978

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/go	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

Harshit Gupta (Mr HAX)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39819",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T16:56:43.015860Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T21:29:53.674Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Harshit Gupta (Mr HAX)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The \"go bug\" command writes to two files with predictable names in the system temporary directory (for example, \"/tmp\"). An attacker with access to the temporary directory can create a symlink in one of these names, causing \"go bug\" to overwrite the target of the symlink."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-377: Insecure Temporary File",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:18.849Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78584"
        },
        {
          "url": "https://go.dev/cl/763882"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4978"
        }
      ],
      "title": "Invoking \"go bug\" follows symlinks in predictable temporary filenames in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39819",
    "datePublished": "2026-05-07T19:41:18.849Z",
    "dateReserved": "2026-04-07T18:13:03.526Z",
    "dateUpdated": "2026-05-08T21:29:53.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39820 (GCVE-0-2026-39820)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:27

Title

Quadratic string concatentation in consumeComment in net/mail

Summary

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78566
https://go.dev/cl/759940
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4986

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/mail	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

thatnealpatel

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39820",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T14:27:51.595266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T14:27:54.923Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/mail",
          "product": "net/mail",
          "programRoutines": [
            {
              "name": "addrParser.consumeComment"
            },
            {
              "name": "AddressParser.Parse"
            },
            {
              "name": "AddressParser.ParseList"
            },
            {
              "name": "Header.AddressList"
            },
            {
              "name": "Header.Date"
            },
            {
              "name": "ParseAddress"
            },
            {
              "name": "ParseAddressList"
            },
            {
              "name": "ParseDate"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "thatnealpatel"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:19.854Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78566"
        },
        {
          "url": "https://go.dev/cl/759940"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4986"
        }
      ],
      "title": "Quadratic string concatentation in consumeComment in net/mail"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39820",
    "datePublished": "2026-05-07T19:41:19.854Z",
    "dateReserved": "2026-04-07T18:13:03.526Z",
    "dateUpdated": "2026-05-08T14:27:54.923Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39823 (GCVE-0-2026-39823)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:05

Title

Bypass of meta content URL escaping causes XSS in html/template

Summary

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78913
https://go.dev/cl/769920
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4982

Impacted products

1 product

Vendor	Product	Version
Go standard library	html/template	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

Samy Ghannad

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39823",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T14:05:34.310805Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T14:05:55.152Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "html/template",
          "product": "html/template",
          "programRoutines": [
            {
              "name": "tMetaContent"
            },
            {
              "name": "Template.Execute"
            },
            {
              "name": "Template.ExecuteTemplate"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Samy Ghannad"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a \u003cmeta\u003e tag\u0027s \u003ccontent\u003e attribute. If the URL content were to insert ASCII whitespaces around the \u0027=\u0027 rune inside of the \u003ccontent\u003e attribute, the escaper would fail to similarly escape it, leading to XSS."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:19.524Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78913"
        },
        {
          "url": "https://go.dev/cl/769920"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4982"
        }
      ],
      "title": "Bypass of meta content URL escaping causes XSS in html/template"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39823",
    "datePublished": "2026-05-07T19:41:19.524Z",
    "dateReserved": "2026-04-07T18:13:03.527Z",
    "dateUpdated": "2026-05-08T14:05:55.152Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39824 (GCVE-0-2026-39824)

Vulnerability from cvelistv5 – Published: 2026-05-22 19:39 – Updated: 2026-05-27 13:31

Title

Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

Summary

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Severity

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78916
https://go.dev/cl/770080
https://groups.google.com/g/golang-announce/c/6MM…
https://pkg.go.dev/vuln/GO-2026-5024

Impacted products

1 product

Vendor	Product	Version
golang.org/x/sys	golang.org/x/sys/windows	Affected: 0 , < 0.44.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 3.3,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39824",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T13:31:22.142852Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:31:26.148Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/sys/windows",
          "platforms": [
            "windows"
          ],
          "product": "golang.org/x/sys/windows",
          "programRoutines": [
            {
              "name": "NewNTUnicodeString"
            }
          ],
          "vendor": "golang.org/x/sys",
          "versions": [
            {
              "lessThan": "0.44.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T19:39:47.629Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78916"
        },
        {
          "url": "https://go.dev/cl/770080"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5024"
        }
      ],
      "title": "Invoking  integer overflow in NewNTUnicodeString in golang.org/x/sys/windows"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39824",
    "datePublished": "2026-05-22T19:39:47.629Z",
    "dateReserved": "2026-04-07T18:13:03.527Z",
    "dateUpdated": "2026-05-27T13:31:26.148Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39825 (GCVE-0-2026-39825)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:30

Title

ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil

Summary

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

References

4 references

URL	Tags
https://go.dev/cl/770541
https://go.dev/issue/78948
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4976

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/http/httputil	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39825",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T16:46:43.329507Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T21:30:08.872Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http/httputil",
          "product": "net/http/httputil",
          "programRoutines": [
            {
              "name": "cleanQueryParams"
            },
            {
              "name": "ReverseProxy.ServeHTTP"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery\u0027s limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query \"a1=x\u0026a2=x\u0026...\u0026a10000=x\u0026hidden=y\" can forward the parameter \"hidden=y\" while hiding it from the proxy\u0027s Rewrite function."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:18.453Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/770541"
        },
        {
          "url": "https://go.dev/issue/78948"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4976"
        }
      ],
      "title": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39825",
    "datePublished": "2026-05-07T19:41:18.453Z",
    "dateReserved": "2026-04-07T18:13:03.527Z",
    "dateUpdated": "2026-05-08T21:30:08.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39826 (GCVE-0-2026-39826)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:05

Title

Escaper bypass leads to XSS in html/template

Summary

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78981
https://go.dev/cl/771180
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4980

Impacted products

1 product

Vendor	Product	Version
Go standard library	html/template	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

Mundur (https://github.com/M0nd0R)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39826",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T14:04:40.842823Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T14:05:05.849Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "html/template",
          "product": "html/template",
          "programRoutines": [
            {
              "name": "isJSType"
            },
            {
              "name": "Template.Execute"
            },
            {
              "name": "Template.ExecuteTemplate"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mundur (https://github.com/M0nd0R)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "If a trusted template author were to write a \u003cscript\u003e tag containing an empty \u0027type\u0027 attribute or a \u0027type\u0027 attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the \u003cscript\u003e block."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:19.138Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78981"
        },
        {
          "url": "https://go.dev/cl/771180"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4980"
        }
      ],
      "title": "Escaper bypass leads to XSS in html/template"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39826",
    "datePublished": "2026-05-07T19:41:19.138Z",
    "dateReserved": "2026-04-07T18:13:03.528Z",
    "dateUpdated": "2026-05-08T14:05:05.849Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2026-27145 (GCVE-0-2026-27145)

CVE-2026-33811 (GCVE-0-2026-33811)

CVE-2026-33814 (GCVE-0-2026-33814)

CVE-2026-39817 (GCVE-0-2026-39817)

CVE-2026-39819 (GCVE-0-2026-39819)

CVE-2026-39820 (GCVE-0-2026-39820)

CVE-2026-39823 (GCVE-0-2026-39823)

CVE-2026-39824 (GCVE-0-2026-39824)

CVE-2026-39825 (GCVE-0-2026-39825)

CVE-2026-39826 (GCVE-0-2026-39826)

Tags

Sightings

Nomenclature