Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-06-08 12:59

Modified

2026-06-05 05:57

Summary

Security fixes for CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-68121, CVE-2026-24051, CVE-2026-25679, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-27139, CVE-2026-27142, CVE-2026-32281, CVE-2026-32283, CVE-2026-33186, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39821, CVE-2026-39823, CVE-2026-39824, CVE-2026-39825, CVE-2026-39826, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-39836, CVE-2026-39883, CVE-2026-42499, CVE-2026-42501, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598, ghsa-9h8m-3fm2-qjrq, ghsa-p77j-4mvh-x3m3 applied in versions: 6.1.0-r0, 6.1.0-r1, 6.1.0-r2, 6.1.0-r3, 6.1.0-r4

Details

Multiple security vulnerabilities affect the kubernetes-csi-external-provisioner-fips package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-61726	WEB
	https://osv.dev/vulnerability/CVE-2025-61728	WEB
	https://osv.dev/vulnerability/CVE-2025-61730	WEB
	https://osv.dev/vulnerability/CVE-2025-68121	WEB
	https://osv.dev/vulnerability/CVE-2026-24051	WEB
	https://osv.dev/vulnerability/CVE-2026-25679	WEB
	https://osv.dev/vulnerability/CVE-2026-25680	WEB
	https://osv.dev/vulnerability/CVE-2026-25681	WEB
	https://osv.dev/vulnerability/CVE-2026-27136	WEB
	https://osv.dev/vulnerability/CVE-2026-27139	WEB
	https://osv.dev/vulnerability/CVE-2026-27142	WEB
	https://osv.dev/vulnerability/CVE-2026-32281	WEB
	https://osv.dev/vulnerability/CVE-2026-32283	WEB
	https://osv.dev/vulnerability/CVE-2026-33186	WEB
	https://osv.dev/vulnerability/CVE-2026-33810	WEB
	https://osv.dev/vulnerability/CVE-2026-33811	WEB
	https://osv.dev/vulnerability/CVE-2026-33814	WEB
	https://osv.dev/vulnerability/CVE-2026-39817	WEB
	https://osv.dev/vulnerability/CVE-2026-39819	WEB
	https://osv.dev/vulnerability/CVE-2026-39820	WEB
	https://osv.dev/vulnerability/CVE-2026-39821	WEB
	https://osv.dev/vulnerability/CVE-2026-39823	WEB
	https://osv.dev/vulnerability/CVE-2026-39824	WEB
	https://osv.dev/vulnerability/CVE-2026-39825	WEB
	https://osv.dev/vulnerability/CVE-2026-39826	WEB
	https://osv.dev/vulnerability/CVE-2026-39827	WEB
	https://osv.dev/vulnerability/CVE-2026-39828	WEB
	https://osv.dev/vulnerability/CVE-2026-39829	WEB
	https://osv.dev/vulnerability/CVE-2026-39830	WEB
	https://osv.dev/vulnerability/CVE-2026-39831	WEB
	https://osv.dev/vulnerability/CVE-2026-39832	WEB
	https://osv.dev/vulnerability/CVE-2026-39833	WEB
	https://osv.dev/vulnerability/CVE-2026-39834	WEB
	https://osv.dev/vulnerability/CVE-2026-39835	WEB
	https://osv.dev/vulnerability/CVE-2026-39836	WEB
	https://osv.dev/vulnerability/CVE-2026-39883	WEB
	https://osv.dev/vulnerability/CVE-2026-42499	WEB
	https://osv.dev/vulnerability/CVE-2026-42501	WEB
	https://osv.dev/vulnerability/CVE-2026-42502	WEB
	https://osv.dev/vulnerability/CVE-2026-42506	WEB
	https://osv.dev/vulnerability/CVE-2026-42508	WEB
	https://osv.dev/vulnerability/CVE-2026-46595	WEB
	https://osv.dev/vulnerability/CVE-2026-46597	WEB
	https://osv.dev/vulnerability/CVE-2026-46598	WEB
	https://osv.dev/vulnerability/ghsa-9h8m-3fm2-qjrq	WEB
	https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61726	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61728	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61730	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-68121	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24051	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25679	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25680	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25681	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27136	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27139	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27142	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32281	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32283	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33186	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33810	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33811	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33814	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39817	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39819	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39820	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39821	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39823	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39824	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39825	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39826	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39827	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39828	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39829	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39830	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39831	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39832	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39833	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39834	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39835	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39836	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39883	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42499	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42501	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42502	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42506	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42508	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46595	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46597	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-46598	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "kubernetes-csi-external-provisioner-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.0-r4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the kubernetes-csi-external-provisioner-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-RE02723",
  "modified": "2026-06-05T05:57:22Z",
  "published": "2026-06-08T12:59:56.014836Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-RE02723.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61726"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61728"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61730"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-68121"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24051"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25680"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25681"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27136"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32283"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33186"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33810"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33811"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33814"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39817"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39819"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39820"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39821"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39823"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39824"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39825"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39826"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39827"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39829"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39830"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39831"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39832"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39833"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39834"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39835"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39836"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39883"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42499"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42501"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42502"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42506"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42508"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46595"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46597"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-46598"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9h8m-3fm2-qjrq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61730"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25680"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25681"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27136"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33814"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39817"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39819"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39823"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39824"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39825"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39826"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39827"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39829"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39830"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39831"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39833"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39834"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39835"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39836"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42501"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42502"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42506"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42508"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46595"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46597"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46598"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-68121, CVE-2026-24051, CVE-2026-25679, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-27139, CVE-2026-27142, CVE-2026-32281, CVE-2026-32283, CVE-2026-33186, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39821, CVE-2026-39823, CVE-2026-39824, CVE-2026-39825, CVE-2026-39826, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-39836, CVE-2026-39883, CVE-2026-42499, CVE-2026-42501, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598, ghsa-9h8m-3fm2-qjrq, ghsa-p77j-4mvh-x3m3 applied in versions: 6.1.0-r0, 6.1.0-r1, 6.1.0-r2, 6.1.0-r3, 6.1.0-r4",
  "upstream": [
    "CVE-2025-61726",
    "CVE-2025-61728",
    "CVE-2025-61730",
    "CVE-2025-68121",
    "CVE-2026-24051",
    "CVE-2026-25679",
    "CVE-2026-25680",
    "CVE-2026-25681",
    "CVE-2026-27136",
    "CVE-2026-27139",
    "CVE-2026-27142",
    "CVE-2026-32281",
    "CVE-2026-32283",
    "CVE-2026-33186",
    "CVE-2026-33810",
    "CVE-2026-33811",
    "CVE-2026-33814",
    "CVE-2026-39817",
    "CVE-2026-39819",
    "CVE-2026-39820",
    "CVE-2026-39821",
    "CVE-2026-39823",
    "CVE-2026-39824",
    "CVE-2026-39825",
    "CVE-2026-39826",
    "CVE-2026-39827",
    "CVE-2026-39828",
    "CVE-2026-39829",
    "CVE-2026-39830",
    "CVE-2026-39831",
    "CVE-2026-39832",
    "CVE-2026-39833",
    "CVE-2026-39834",
    "CVE-2026-39835",
    "CVE-2026-39836",
    "CVE-2026-39883",
    "CVE-2026-42499",
    "CVE-2026-42501",
    "CVE-2026-42502",
    "CVE-2026-42506",
    "CVE-2026-42508",
    "CVE-2026-46595",
    "CVE-2026-46597",
    "CVE-2026-46598",
    "ghsa-9h8m-3fm2-qjrq",
    "ghsa-p77j-4mvh-x3m3"
  ]
}

CVE-2025-61726 (GCVE-0-2025-61726)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:31

Title

Memory exhaustion in query parameter parsing in net/url

Summary

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

4 references

URL	Tags
https://go.dev/cl/736712
https://go.dev/issue/77101
https://groups.google.com/g/golang-announce/c/Vd2…
https://pkg.go.dev/vuln/GO-2026-4341

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/url	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

jub0bs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:31:39.150633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:31:59.685Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseQuery"
            },
            {
              "name": "ParseQuery"
            },
            {
              "name": "URL.Query"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jub0bs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.215Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736712"
        },
        {
          "url": "https://go.dev/issue/77101"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4341"
        }
      ],
      "title": "Memory exhaustion in query parameter parsing in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61726",
    "datePublished": "2026-01-28T19:30:31.215Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:31:59.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61728 (GCVE-0-2025-61728)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:30

Title

Excessive CPU consumption when building archive index in archive/zip

Summary

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

5 references

URL	Tags
https://go.dev/cl/736713
https://go.dev/issue/77102
https://groups.google.com/g/golang-announce/c/Vd2…
https://pkg.go.dev/vuln/GO-2026-4342
http://www.openwall.com/lists/oss-security/2026/01/15/4

Impacted products

1 product

Vendor	Product	Version
Go standard library	archive/zip	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T20:08:22.055Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/15/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61728",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:29:58.068724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:30:24.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/zip",
          "product": "archive/zip",
          "programRoutines": [
            {
              "name": "Reader.initFileList"
            },
            {
              "name": "Reader.Open"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736713"
        },
        {
          "url": "https://go.dev/issue/77102"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4342"
        }
      ],
      "title": "Excessive CPU consumption when building archive index in archive/zip"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61728",
    "datePublished": "2026-01-28T19:30:31.354Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:30:24.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61730 (GCVE-0-2025-61730)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-02-02 17:28

Title

Handshake messages may be processed at the incorrect encryption level in crypto/tls

Summary

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-940 - Improper Verification of Source of a Communication Channel

Assigner

References

4 references

URL	Tags
https://go.dev/cl/724120
https://go.dev/issue/76443
https://groups.google.com/g/golang-announce/c/Vd2…
https://pkg.go.dev/vuln/GO-2026-4340

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/tls	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

Coia Prant (github.com/rbqvq)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61730",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-02T17:28:46.305649Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-02T17:28:49.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "Conn.handleKeyUpdate"
            },
            {
              "name": "Conn.handshakeContext"
            },
            {
              "name": "clientHandshakeStateTLS13.establishHandshakeKeys"
            },
            {
              "name": "clientHandshakeStateTLS13.readServerFinished"
            },
            {
              "name": "clientHandshakeStateTLS13.sendClientFinished"
            },
            {
              "name": "serverHandshakeStateTLS13.checkForResumption"
            },
            {
              "name": "serverHandshakeStateTLS13.doHelloRetryRequest"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerParameters"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerFinished"
            },
            {
              "name": "serverHandshakeStateTLS13.readClientFinished"
            },
            {
              "name": "Conn.quicSetReadSecret"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            },
            {
              "name": "QUICConn.HandleData"
            },
            {
              "name": "QUICConn.Start"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Coia Prant (github.com/rbqvq)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-940: Improper Verification of Source of a Communication Channel",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:30.986Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/724120"
        },
        {
          "url": "https://go.dev/issue/76443"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4340"
        }
      ],
      "title": "Handshake messages may be processed at the incorrect encryption level in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61730",
    "datePublished": "2026-01-28T19:30:30.986Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-02-02T17:28:49.572Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68121 (GCVE-0-2025-68121)

Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-04-29 13:29

Title

Unexpected session resumption in crypto/tls

Summary

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-295 - Improper Certificate Validation

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/K09…
https://go.dev/cl/737700
https://go.dev/issue/77217
https://pkg.go.dev/vuln/GO-2026-4337

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/tls	Affected: 0 , < 1.24.13 (semver) Affected: 1.25.0-0 , < 1.25.7 (semver) Affected: 1.26.0-rc.1 , < 1.26.0-rc.3 (semver)

Credits

Coia Prant (github.com/rbqvq) Go Security Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-68121",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T03:55:46.305385Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-295",
                "description": "CWE-295 Improper Certificate Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T13:29:25.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "Conn.handshakeContext"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            },
            {
              "name": "QUICConn.Start"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.13",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.7",
              "status": "affected",
              "version": "1.25.0-0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.0-rc.3",
              "status": "affected",
              "version": "1.26.0-rc.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Coia Prant (github.com/rbqvq)"
        },
        {
          "lang": "en",
          "value": "Go Security Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-05T17:48:44.141Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
        },
        {
          "url": "https://go.dev/cl/737700"
        },
        {
          "url": "https://go.dev/issue/77217"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4337"
        }
      ],
      "title": "Unexpected session resumption in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-68121",
    "datePublished": "2026-02-05T17:48:44.141Z",
    "dateReserved": "2025-12-15T16:48:04.451Z",
    "dateUpdated": "2026-04-29T13:29:25.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24051 (GCVE-0-2026-24051)

Vulnerability from cvelistv5 – Published: 2026-02-02 19:49 – Updated: 2026-02-03 14:54

Title

OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

Severity

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-426 - Untrusted Search Path

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
open-telemetry	opentelemetry-go	Affected: >= 1.21.0, < 1.40.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24051",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T14:53:50.389773Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T14:54:41.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.21.0, \u003c 1.40.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T19:49:10.038Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"
        }
      ],
      "source": {
        "advisory": "GHSA-9h8m-3fm2-qjrq",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24051",
    "datePublished": "2026-02-02T19:49:10.038Z",
    "dateReserved": "2026-01-20T22:30:11.778Z",
    "dateUpdated": "2026-02-03T14:54:41.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25679 (GCVE-0-2026-25679)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-10 13:37

Title

Incorrect parsing of IPv6 host literals in net/url

Summary

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Assigner

References

4 references

URL	Tags
https://go.dev/cl/752180
https://go.dev/issue/77578
https://groups.google.com/g/golang-announce/c/Edh…
https://pkg.go.dev/vuln/GO-2026-4601

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/url	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Masaki Hara (https://github.com/qnighy) of Wantedly

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T13:36:26.554241Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:37:02.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseHost"
            },
            {
              "name": "JoinPath"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseRequestURI"
            },
            {
              "name": "URL.Parse"
            },
            {
              "name": "URL.UnmarshalBinary"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.211Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/752180"
        },
        {
          "url": "https://go.dev/issue/77578"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4601"
        }
      ],
      "title": "Incorrect parsing of IPv6 host literals in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25679",
    "datePublished": "2026-03-06T21:28:14.211Z",
    "dateReserved": "2026-02-05T01:33:41.943Z",
    "dateUpdated": "2026-03-10T13:37:02.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25680 (GCVE-0-2026-25680)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:00

Title

Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

Summary

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/781702
https://go.dev/issue/79573
https://groups.google.com/g/golang-announce/c/iI-…
https://pkg.go.dev/vuln/GO-2026-5028

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

IPC Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25680",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:00:30.926552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:00:35.395Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "IPC Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.805Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/781702"
        },
        {
          "url": "https://go.dev/issue/79573"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5028"
        }
      ],
      "title": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25680",
    "datePublished": "2026-05-22T15:01:21.805Z",
    "dateReserved": "2026-02-05T01:35:43.737Z",
    "dateUpdated": "2026-05-22T17:00:35.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25681 (GCVE-0-2026-25681)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:46

Title

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

Summary

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79574
https://groups.google.com/g/golang-announce/c/iI-…
https://go.dev/cl/781703
https://pkg.go.dev/vuln/GO-2026-5029

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

ensy

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25681",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T17:46:00.775026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T17:46:20.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ensy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.975Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79574"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://go.dev/cl/781703"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5029"
        }
      ],
      "title": "Invoking  incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25681",
    "datePublished": "2026-05-22T15:01:21.975Z",
    "dateReserved": "2026-02-05T01:35:43.738Z",
    "dateUpdated": "2026-05-22T17:46:20.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27136 (GCVE-0-2026-27136)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 16:59

Title

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

Summary

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/issue/79575
https://groups.google.com/g/golang-announce/c/iI-…
https://go.dev/cl/781685
https://pkg.go.dev/vuln/GO-2026-5030

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/html	Affected: 0 , < 0.55.0 (semver)

Credits

ensy

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27136",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T16:59:35.355098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T16:59:52.807Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/html",
          "product": "golang.org/x/net/html",
          "programRoutines": [
            {
              "name": "parser.parse"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseFragment"
            },
            {
              "name": "ParseFragmentWithOptions"
            },
            {
              "name": "ParseWithOptions"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ensy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:22.111Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/79575"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://go.dev/cl/781685"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5030"
        }
      ],
      "title": "Invoking  duplicate attributes can cause XSS in golang.org/x/net/html"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27136",
    "datePublished": "2026-05-22T15:01:22.111Z",
    "dateReserved": "2026-02-17T19:57:28.434Z",
    "dateUpdated": "2026-05-22T16:59:52.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27139 (GCVE-0-2026-27139)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-09 14:53

Title

FileInfo can escape from a Root in os

Summary

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Severity

2.5 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-363 - Race Condition Enabling Link Following

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/Edh…
https://go.dev/issue/77827
https://go.dev/cl/749480
https://pkg.go.dev/vuln/GO-2026-4602

Impacted products

1 product

Vendor	Product	Version
Go standard library	os	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Miloslav Trmač of Red Hat

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.5,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T14:53:55.467850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T14:53:58.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "os",
          "product": "os",
          "programRoutines": [
            {
              "name": "File.ReadDir"
            },
            {
              "name": "File.Readdir"
            },
            {
              "name": "ReadDir"
            },
            {
              "name": "dirFS.ReadDir"
            },
            {
              "name": "rootFS.ReadDir"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Miloslav Trma\u010d of Red Hat"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.451Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://go.dev/issue/77827"
        },
        {
          "url": "https://go.dev/cl/749480"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4602"
        }
      ],
      "title": "FileInfo can escape from a Root in os"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27139",
    "datePublished": "2026-03-06T21:28:14.451Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-03-09T14:53:58.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2025-61726 (GCVE-0-2025-61726)

CVE-2025-61728 (GCVE-0-2025-61728)

CVE-2025-61730 (GCVE-0-2025-61730)

CVE-2025-68121 (GCVE-0-2025-68121)

CVE-2026-24051 (GCVE-0-2026-24051)

CVE-2026-25679 (GCVE-0-2026-25679)

CVE-2026-25680 (GCVE-0-2026-25680)

CVE-2026-25681 (GCVE-0-2026-25681)

CVE-2026-27136 (GCVE-0-2026-27136)

CVE-2026-27139 (GCVE-0-2026-27139)

Tags

Sightings

Nomenclature