cbcvebase.

Golang Go vulnerabilities

168 known vulnerabilities affecting golang/go.

Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3

Vulnerabilities

Page 3 of 9
CVE-2020-28366P3HIGHCVSS 7.5fixed in 1.14.12≥ 1.15, < 1.15.52020-11-18
CVE-2020-28366 [HIGH] CWE-94 CVE-2020-28366: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code exec Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
nvd
CVE-2022-41720P3HIGHCVSS 7.5fixed in 1.18.9≥ 1.19.0, < 1.19.42022-12-07
CVE-2022-41720 [HIGH] CWE-22 CVE-2022-41720: On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and ht On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide
nvd
CVE-2019-17596P3HIGHCVSS 7.5≥ 1.12, < 1.12.11≥ 1.13, < 1.13.22019-10-24
CVE-2019-17596 [HIGH] CWE-436 CVE-2019-17596: Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic conta Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
nvd
CVE-2022-23773P3HIGHCVSS 7.5fixed in 1.16.14≥ 1.17.0, < 1.17.72022-02-11
CVE-2022-23773 [HIGH] CWE-436 CVE-2022-23773: cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appe cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
nvd
CVE-2021-39293P3HIGHCVSS 7.5fixed in 1.16.8≥ 1.17.0, < 1.17.12022-01-24
CVE-2021-39293 [HIGH] CVE-2021-39293: In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely desig In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.
nvd
CVE-2026-32283P3HIGHCVSS 7.5fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-32283 [HIGH] CWE-770 CVE-2026-32283: If one side of the TLS connection sends multiple key update messages post-handshake in a single reco If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
nvd
CVE-2018-16875P3HIGHCVSS 7.5fixed in 1.10.6≥ 1.11.0, < 1.11.32018-12-14
CVE-2018-16875 [HIGH] CWE-20 CVE-2018-16875: The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of wo The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
nvd
CVE-2022-29804P3HIGHCVSS 7.5fixed in 1.17.11≥ 1.18.0, < 1.18.32022-08-10
CVE-2022-29804 [HIGH] CWE-22 CVE-2022-29804: Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath bef Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
nvd
CVE-2022-41722P3HIGHCVSS 7.5fixed in 1.19.6v1.20.02023-02-28
CVE-2022-41722 [HIGH] CWE-22 CVE-2022-41722: A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean f A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms
nvd
CVE-2023-45285P3HIGHCVSS 7.5fixed in 1.20.12≥ 1.21.0-0, < 1.21.52023-12-06
CVE-2023-45285 [HIGH] CVE-2023-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
nvd
CVE-2026-33811P3HIGHCVSS 7.5fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-33811 [HIGH] CWE-415 CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-fr When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
nvd
CVE-2026-32280P3HIGHCVSS 7.5fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-32280 [HIGH] CWE-770 CVE-2026-32280: During chain building, the amount of work that is done is not correctly limited when a large number During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
nvd
CVE-2019-6486P3HIGHCVSS 8.2fixed in 1.10.8≥ 1.11.1, < 1.11.52019-01-24
CVE-2019-6486 [HIGH] CWE-770 CVE-2019-6486: Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows a Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
nvd
CVE-2022-41723P3HIGHCVSS 7.5fixed in 1.19.6v1.20.02023-02-28
CVE-2022-41723 [HIGH] CWE-400 CVE-2022-41723: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, suff A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
nvd
CVE-2022-28327P3HIGHCVSS 7.5fixed in 1.17.9≥ 1.18.0, < 1.18.12022-04-20
CVE-2022-28327 [HIGH] CVE-2022-28327: The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a p The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.
nvd
CVE-2022-24921P3HIGHCVSS 7.5fixed in 1.16.15≥ 1.17, < 1.17.82022-03-05
CVE-2022-24921 [HIGH] CWE-674 CVE-2022-24921: regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply ne regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.
nvd
CVE-2021-33195P3HIGHCVSS 7.3fixed in 1.15.13≥ 1.16.0, < 1.16.52021-08-02
CVE-2021-33195 [HIGH] CWE-74 CVE-2021-33195: Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replie Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
nvd
CVE-2023-24534P3HIGHCVSS 7.5fixed in 1.19.8≥ 1.20.0, < 1.20.32023-04-06
CVE-2023-24534 [HIGH] CWE-400 CVE-2023-24534: HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, p HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit t
nvd
CVE-2022-28131P3HIGHCVSS 7.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-28131 [HIGH] CWE-674 CVE-2022-28131: Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an att Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
nvd
CVE-2026-39820P3HIGHCVSS 7.5fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-39820 [HIGH] CWE-770 CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger exce Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
nvd
Golang Go vulnerabilities | cvebase