CVE-2026-25679Improper Validation of Syntactic Correctness of Input in Standard Library NET URL

CWE-1286Improper Validation of Syntactic Correctness of Input10 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 90.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library NET URL
Timeline
PublishedMar 6
Latest updateMar 10

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5go_standard_library/net_url1.26.0-01.26.1+1

🔴Vulnerability Details

4
GHSA
GHSA-j3gx-2473-5fp8: url2026-03-07
OSV
CVE-2026-25679: url2026-03-06
OSV
Incorrect parsing of IPv6 host literals in net/url2026-03-06
CVEList
Incorrect parsing of IPv6 host literals in net/url2026-03-06

📋Vendor Advisories

3
Microsoft
Incorrect parsing of IPv6 host literals in net/url2026-03-10
Red Hat
net/url: Incorrect parsing of IPv6 host literals in net/url2026-03-06
Debian
CVE-2026-25679: golang-1.15 - url.Parse insufficiently validated the host/authority component and accepted som...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25679 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url2026-03-06
CVE-2026-25679 — Standard Library NET URL vulnerability | cvebase