CVE-2026-42507
published 2026-06-02CVE-2026-42507: When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.37%
28.9th percentile
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
Affected
114 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| ansible-automation-platform-27 | receptor-rhel9 | — | — |
| ansible-automation-platform | platform-operator-bundle | — | — |
| apicurio | apicurio-registry-rhel8-operator | — | — |
| apicurio | apicurio-registry-rhel9-operator | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | kubevirt-apiserver-proxy-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | containernetworking-plugins | — | — |
| container-tools_rhel8 | podman | — | — |
| container-tools_rhel8 | skopeo | — | — |
| container-tools_rhel8 | toolbox | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| devspaces | udi-rhel9 | — | — |
| devworkspace | devworkspace-rhel9-operator | — | — |
| dvo | deployment-validation-rhel8-operator | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
When returning errors, functions in the net/textproto package would include its input as part of the error.
ghsa_unreviewed·2026-06-03
CVE-2026-42507 [MEDIUM] When returning errors, functions in the net/textproto package would include its input as part of the error.
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
VulDB
net-textproto up to 1.25.10/1.26.3 on Go net/textproto log file
vuldb·2026-06-03
CVE-2026-42507 [LOW] net-textproto up to 1.25.10/1.26.3 on Go net/textproto log file
A vulnerability labeled as problematic has been found in net-textproto up to 1.25.10/1.26.3 on Go. This issue affects some unknown processing of the file net/textproto. Such manipulation leads to sensitive information in log files.
This vulnerability is uniquely identified as CVE-2026-42507. The attack can only be initiated within the local network. No exploit exists.
The affected component should be upgraded.
Red Hat
net/textproto: golang: Golang net/textproto: Misleading error messages via input injection
vendor_redhat·2026-06-02·CVSS 5.3
CVE-2026-42507 [MEDIUM] CWE-117 net/textproto: golang: Golang net/textproto: Misleading error messages via input injection
net/textproto: golang: Golang net/textproto: Misleading error messages via input injection
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
A flaw was found in the net/textproto package in Golang. When functions in this package return errors, they include their input as part of the error message. An attacker could exploit this by injecting misleading content into these error messages, which are then printed or logged. This could lead to confusion or misinterpretation of critical system information.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security
No detection rules found.
No public exploits indexed.
2026-06-02
Published