Go

This hub aggregates every CVE we track for Go, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Go.

• CVE-2026-42501Malicious module proxy can bypass checksum database in cmd/go7.5May 7, 2026
• CVE-2026-39826Escaper bypass leads to XSS in html/template6.1May 7, 2026
• CVE-2026-39823Bypass of meta content URL escaping causes XSS in html/template6.1May 7, 2026
• CVE-2026-39820Quadratic string concatentation in consumeComment in net/mail7.5May 7, 2026
• CVE-2026-33811Crash when handling long CNAME response in net7.5May 7, 2026
• CVE-2026-42499Quadratic string concatenation in consumePhrase in net/mail7.5May 7, 2026
• CVE-2026-39836Panic in Dial and LookupPort when handling NUL byte on Windows in net7.5May 7, 2026
• CVE-2026-39825ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil5.3May 7, 2026
• CVE-2026-39819Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go5.3May 7, 2026
• CVE-2026-39817Invoking "go tool pack" does not sanitize output paths in cmd/go5.9May 7, 2026
• CVE-2026-33814Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net7.5May 7, 2026
• CVE-2026-32281Inefficient policy validation in crypto/x5097.5Apr 8, 2026
• CVE-2026-32280Unexpected work during chain building in crypto/x5097.5Apr 8, 2026
• CVE-2026-32288Unbounded allocation for old GNU sparse in archive/tar5.5Apr 8, 2026
• CVE-2026-32283Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls7.5Apr 8, 2026