CVE-2026-25679
published 2026-03-06CVE-2026-25679: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.73%
49.6th percentile
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.25 1.25.8-1 (forky) | golang-1.25 1.25.8-1 (forky) |
| debian | golang-1.19 | < golang-1.25 1.25.8-1 (forky) | golang-1.25 1.25.8-1 (forky) |
| debian | golang-1.24 | < golang-1.25 1.25.8-1 (forky) | golang-1.25 1.25.8-1 (forky) |
| debian | golang-1.25 | < golang-1.25 1.25.8-1 (forky) | golang-1.25 1.25.8-1 (forky) |
| debian | golang-1.26 | < golang-1.25 1.25.8-1 (forky) | golang-1.25 1.25.8-1 (forky) |
| go_standard_library | net_url | < 1.25.8 | 1.25.8 |
| go_standard_library | net_url | >= 1.26.0-0 < 1.26.1 | 1.26.1 |
| golang | go | < 1.25.8 | 1.25.8 |
| golang | go | — | — |
| msrc | azl3_golang_1.25.7-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.18.8-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-5_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5LOW
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j3gx-2473-5fp8: url
ghsa_unreviewed·2026-03-07
CVE-2026-25679 [HIGH] GHSA-j3gx-2473-5fp8: url
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
OSV
CVE-2026-25679: url
osv·2026-03-06·CVSS 7.5
CVE-2026-25679 [HIGH] CVE-2026-25679: url
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
OSV
Incorrect parsing of IPv6 host literals in net/url
osv·2026-03-06
CVE-2026-25679 Incorrect parsing of IPv6 host literals in net/url
Incorrect parsing of IPv6 host literals in net/url
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Microsoft
Incorrect parsing of IPv6 host literals in net/url
vendor_msrc·2026-03-10·CVSS 7.5
CVE-2026-25679 [HIGH] Incorrect parsing of IPv6 host literals in net/url
Incorrect parsing of IPv6 host literals in net/url
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Red Hat
net/url: Incorrect parsing of IPv6 host literals in net/url
vendor_redhat·2026-03-06·CVSS 7.5
CVE-2026-25679 [HIGH] CWE-1286 net/url: Incorrect parsing of IPv6 host literals in net/url
net/url: Incorrect parsing of IPv6 host literals in net/url
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: rhai/assisted-installer-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Affected
Package: cert-manager/jetstac
Debian
CVE-2026-25679: golang-1.15 - url.Parse insufficiently validated the host/authority component and accepted som...
vendor_debian·2026·CVSS 7.5
CVE-2026-25679 [HIGH] CVE-2026-25679: golang-1.15 - url.Parse insufficiently validated the host/authority component and accepted som...
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25679 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25679 [HIGH] CVE-2026-25679 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25679 :
cAdvisor vulnerability analysis and mitigation
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
cAdvisor
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
logstash-9.1
vault
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Mar 29, 2026
Alpine 3.23 Severity HIGH Has Fix Added at: Mar 09, 2026
Alpine edge Severity HIGH Has Fix Added at: Mar 08, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Chainguard Has Fix A
Wiz
CVE-2026-32287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32287 [HIGH] CVE-2026-32287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32287 :
Amazon CloudWatch Agent vulnerability analysis and mitigation
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Amazon CloudWatch Agent
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
opentelemetry-collector
tempo
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 12, 1
Bugzilla
CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url
bugzilla·2026-03-06·CVSS 7.5
CVE-2026-25679 [HIGH] CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url
CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:5941 https://access.redhat.com/errata/RHSA-2026:5941
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:5942 https://access.redhat.com/errata/RHSA-2026:5942
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9.6 Extended Update Support
Via RHSA-2026:5944 https://access.redhat.com/errata/RHSA-2026:5944
---
This issue has been addressed in the following products:
Cryostat 4 on RHEL 9
Via RHSA-2026:6341 https://acc
https://go.dev/cl/752180https://go.dev/issue/77578https://groups.google.com/g/golang-announce/c/EdhZqrQ98hkhttps://pkg.go.dev/vuln/GO-2026-4601https://access.redhat.com/errata/RHSA-2026:10065https://access.redhat.com/errata/RHSA-2026:10125https://access.redhat.com/errata/RHSA-2026:10133https://access.redhat.com/errata/RHSA-2026:10140https://access.redhat.com/errata/RHSA-2026:10141https://access.redhat.com/errata/RHSA-2026:10158https://access.redhat.com/errata/RHSA-2026:10169https://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/errata/RHSA-2026:10184https://access.redhat.com/errata/RHSA-2026:10225https://access.redhat.com/errata/RHSA-2026:10250https://access.redhat.com/errata/RHSA-2026:10701https://access.redhat.com/errata/RHSA-2026:10712https://access.redhat.com/errata/RHSA-2026:10929https://access.redhat.com/errata/RHSA-2026:11217https://access.redhat.com/errata/RHSA-2026:11375https://access.redhat.com/errata/RHSA-2026:11412https://access.redhat.com/errata/RHSA-2026:11413https://access.redhat.com/errata/RHSA-2026:11686https://access.redhat.com/errata/RHSA-2026:11688https://access.redhat.com/errata/RHSA-2026:11747https://access.redhat.com/errata/RHSA-2026:11749https://access.redhat.com/errata/RHSA-2026:11768https://access.redhat.com/errata/RHSA-2026:11800https://access.redhat.com/errata/RHSA-2026:11856https://access.redhat.com/errata/RHSA-2026:11916https://access.redhat.com/errata/RHSA-2026:11996https://access.redhat.com/errata/RHSA-2026:12028https://access.redhat.com/errata/RHSA-2026:12029https://access.redhat.com/errata/RHSA-2026:12030https://access.redhat.com/errata/RHSA-2026:12031https://access.redhat.com/errata/RHSA-2026:12032https://access.redhat.com/errata/RHSA-2026:12033https://access.redhat.com/errata/RHSA-2026:12282https://access.redhat.com/errata/RHSA-2026:13508https://access.redhat.com/errata/RHSA-2026:13512https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:13642https://access.redhat.com/errata/RHSA-2026:13643https://access.redhat.com/errata/RHSA-2026:13671https://access.redhat.com/errata/RHSA-2026:13791https://access.redhat.com/errata/RHSA-2026:13829https://access.redhat.com/errata/RHSA-2026:14020https://access.redhat.com/errata/RHSA-2026:14100https://access.redhat.com/errata/RHSA-2026:14774https://access.redhat.com/errata/RHSA-2026:14868https://access.redhat.com/errata/RHSA-2026:14879https://access.redhat.com/errata/RHSA-2026:15091https://access.redhat.com/errata/RHSA-2026:16102https://access.redhat.com/errata/RHSA-2026:16696https://access.redhat.com/errata/RHSA-2026:16874https://access.redhat.com/errata/RHSA-2026:16875https://access.redhat.com/errata/RHSA-2026:17040https://access.redhat.com/errata/RHSA-2026:17084https://access.redhat.com/errata/RHSA-2026:17287https://access.redhat.com/errata/RHSA-2026:17598https://access.redhat.com/errata/RHSA-2026:19017https://access.redhat.com/errata/RHSA-2026:19022https://access.redhat.com/errata/RHSA-2026:19026https://access.redhat.com/errata/RHSA-2026:19027https://access.redhat.com/errata/RHSA-2026:19031https://access.redhat.com/errata/RHSA-2026:19032https://access.redhat.com/errata/RHSA-2026:19049https://access.redhat.com/errata/RHSA-2026:19055https://access.redhat.com/errata/RHSA-2026:19126https://access.redhat.com/errata/RHSA-2026:19128https://access.redhat.com/errata/RHSA-2026:19132https://access.redhat.com/errata/RHSA-2026:19133https://access.redhat.com/errata/RHSA-2026:19135https://access.redhat.com/errata/RHSA-2026:19181https://access.redhat.com/errata/RHSA-2026:19184https://access.redhat.com/errata/RHSA-2026:19185https://access.redhat.com/errata/RHSA-2026:19207https://access.redhat.com/errata/RHSA-2026:19350https://access.redhat.com/errata/RHSA-2026:19353https://access.redhat.com/errata/RHSA-2026:19375https://access.redhat.com/errata/RHSA-2026:19475https://access.redhat.com/errata/RHSA-2026:19634https://access.redhat.com/errata/RHSA-2026:19719https://access.redhat.com/errata/RHSA-2026:19720https://access.redhat.com/errata/RHSA-2026:19721https://access.redhat.com/errata/RHSA-2026:19750https://access.redhat.com/errata/RHSA-2026:20041https://access.redhat.com/errata/RHSA-2026:20088https://access.redhat.com/errata/RHSA-2026:20581https://access.redhat.com/errata/RHSA-2026:20582https://access.redhat.com/errata/RHSA-2026:20584https://access.redhat.com/errata/RHSA-2026:20889https://access.redhat.com/errata/RHSA-2026:21017https://access.redhat.com/errata/RHSA-2026:21655https://access.redhat.com/errata/RHSA-2026:21657https://access.redhat.com/errata/RHSA-2026:21691https://access.redhat.com/errata/RHSA-2026:21696https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:22423
+ 128 more references
2026-03-06
Published