cbcvebase.

Golang Go vulnerabilities

168 known vulnerabilities affecting golang/go.

Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3

Vulnerabilities

Page 1 of 9
CVE-2020-0601P1HIGHCVSS 8.1KEVPoCRansomware≥ 1.12, < 1.12.16≥ 1.13, < 1.13.72020-01-14
CVE-2020-0601 [HIGH] CWE-295 CVE-2020-0601: A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnera
nvd
CVE-2023-44487P1HIGHCVSS 7.5KEVPoCfixed in 1.20.10≥ 1.21.0, < 1.21.32023-10-10
CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
nvd
CVE-2018-7187P2HIGHCVSS 8.8fixed in 1.9.5≥ 1.10, < 1.10.12018-02-16
CVE-2018-7187 [HIGH] CWE-78 CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not va The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
nvd
CVE-2018-16873P2HIGHCVSS 8.1fixed in 1.10.6≥ 1.11.0, < 1.11.32018-12-14
CVE-2018-16873 [HIGH] CWE-20 CVE-2018-16873: In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code exec In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://
nvd
CVE-2023-29404P2CRITICALCVSS 9.8fixed in 1.19.10≥ 1.20.0, < 1.20.52023-06-08
CVE-2023-29404 [CRITICAL] CWE-94 CVE-2023-29404: The go command may execute arbitrary code at build time when using cgo. This may occur when running The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrect
nvd
CVE-2023-29405P2CRITICALCVSS 9.8fixed in 1.19.10≥ 1.20.0, < 1.20.52023-06-08
CVE-2023-29405 [CRITICAL] CWE-74 CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo. This may occur when running The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed fla
nvd
CVE-2023-39320P2CRITICALCVSS 9.8≥ 1.21.0, < 1.21.12023-09-08
CVE-2023-39320 [CRITICAL] CWE-94 CVE-2023-39320: The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binar The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
nvd
CVE-2019-14809P3CRITICALCVSS 9.8fixed in 1.11.13≥ 1.12.0, < 1.12.82019-08-13
CVE-2019-14809 [CRITICAL] CVE-2019-14809: net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that resul
nvd
CVE-2017-15041P3CRITICALCVSS 9.8≤ 1.8.3v1.92017-10-05
CVE-2017-15041 [CRITICAL] CVE-2017-15041: Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domain Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to en
nvd
CVE-2023-29402P3CRITICALCVSS 9.8fixed in 1.19.10≥ 1.20.0, < 1.20.52023-06-08
CVE-2023-29402 [CRITICAL] CWE-94 CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpec The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not aff
nvd
CVE-2021-38297P3CRITICALCVSS 9.8fixed in 1.16.9≥ 1.17.0, < 1.17.22021-10-18
CVE-2021-38297 [CRITICAL] CWE-120 CVE-2021-38297: Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function in Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
nvd
CVE-2025-68121P3CRITICALCVSS 10.0fixed in 1.24.13≥ 1.25.0, < 1.25.7+1 more2026-02-05
CVE-2025-68121 [CRITICAL] CWE-295 CVE-2025-68121: During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs field During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This
nvd
CVE-2023-39323P3HIGHCVSS 8.1fixed in 1.20.9≥ 1.21.0, < 1.21.22023-10-05
CVE-2023-39323 [HIGH] CVE-2023-39323: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowin Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploitin
nvd
CVE-2026-27140P3HIGHCVSS 8.8fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-27140 [HIGH] CWE-863 CVE-2026-27140: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrar SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
nvd
CVE-2015-5739P3CRITICALCVSS 9.8≤ 1.4.22017-10-18
CVE-2015-5739 [CRITICAL] CWE-444 CVE-2015-5739: The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP head The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."
nvd
CVE-2021-3115P3HIGHCVSS 7.5fixed in 1.14.14≥ 1.15, < 1.15.72021-01-26
CVE-2021-3115 [HIGH] CWE-427 CVE-2021-3115: Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
nvd
CVE-2026-27143P3CRITICALCVSS 9.8fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-27143 [CRITICAL] CVE-2026-27143: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. A Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
nvd
CVE-2016-5386P3HIGHCVSS 8.1≥ 1.0, < 1.6.3v1.72016-07-19
CVE-2016-5386 [HIGH] CWE-284 CVE-2016-5386: The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy se
nvd
CVE-2015-5741P3CRITICALCVSS 9.8fixed in 1.4.32020-02-08
CVE-2015-5741 [CRITICAL] CWE-444 CVE-2015-5741: The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
nvd
CVE-2023-24538P3CRITICALCVSS 9.8fixed in 1.19.8≥ 1.20.0, < 1.20.32023-04-06
CVE-2023-24538 [CRITICAL] CWE-94 CVE-2023-24538: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascrip
nvd
Golang Go vulnerabilities | cvebase