cbcvebase.

Golang Go vulnerabilities

168 known vulnerabilities affecting golang/go.

Total CVEs
168
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH98MEDIUM49LOW3

Vulnerabilities

Page 7 of 9
CVE-2022-1705P4MEDIUMCVSS 6.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-1705 [MEDIUM] CWE-444 CVE-2022-1705: Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17 Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
nvd
CVE-2022-32148P4MEDIUMCVSS 6.5fixed in 1.17.12≥ 1.18.0, < 1.18.42022-08-10
CVE-2022-32148 [MEDIUM] CVE-2022-32148: Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggere Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
nvd
CVE-2025-47906P4MEDIUMCVSS 6.5fixed in 1.23.12≥ 1.24.0, < 1.24.62025-09-18
CVE-2025-47906 [MEDIUM] CVE-2025-47906: If the PATH environment variable contains paths which are executables (rather than just directories) If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
nvd
CVE-2026-27144P4HIGHCVSS 7.1fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-27144 [HIGH] CWE-843 CVE-2026-27144: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
nvd
CVE-2020-15586P4MEDIUMCVSS 5.9fixed in 1.13.13≥ 1.14.0, < 1.14.52020-07-17
CVE-2020-15586 [MEDIUM] CWE-362 CVE-2020-15586: Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
nvd
CVE-2017-8932P4MEDIUMCVSS 5.9≤ 1.7.5v1.8+1 more2017-07-06
CVE-2017-8932 [MEDIUM] CWE-682 CVE-2017-8932: A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the
nvd
CVE-2025-61727P4MEDIUMCVSS 6.5fixed in 1.24.11≥ 1.25, < 1.25.52025-12-03
CVE-2025-61727 [MEDIUM] CWE-295 CVE-2025-61727: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
nvd
CVE-2020-29509P4MEDIUMCVSS 5.6fixed in 1.17vAll versions2020-12-14
CVE-2020-29509 [MEDIUM] CWE-115 CVE-2020-29509: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
nvd
CVE-2020-29511P4MEDIUMCVSS 5.6fixed in 1.17vAll versions2020-12-14
CVE-2020-29511 [MEDIUM] CWE-115 CVE-2020-29511: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element n The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
nvd
CVE-2021-33197P4MEDIUMCVSS 5.3fixed in 1.15.13≥ 1.16.0, < 1.16.52021-08-02
CVE-2021-33197 [MEDIUM] CWE-862 CVE-2021-33197: In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/ht In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
nvd
CVE-2019-9741P4MEDIUMCVSS 6.1v1.11.52019-03-13
CVE-2019-9741 [MEDIUM] CWE-93 CVE-2019-9741: An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker control An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
nvd
CVE-2026-32282P4MEDIUMCVSS 6.4fixed in 1.25.9≥ 1.26.0, < 1.26.22026-04-08
CVE-2026-32282 [MEDIUM] CWE-59 CVE-2026-32282: On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in pro On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target
nvd
CVE-2026-39825P4MEDIUMCVSS 5.3fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-39825 [MEDIUM] CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used w ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of
nvd
CVE-2021-36221P4MEDIUMCVSS 5.9fixed in 1.15.15≥ 1.16.0, < 1.16.72021-08-08
CVE-2021-36221 [MEDIUM] CWE-362 CVE-2021-36221: Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.
nvd
CVE-2025-61728P4MEDIUMCVSS 6.5fixed in 1.24.12≥ 1.25.0, < 1.25.62026-01-28
CVE-2025-61728 [MEDIUM] CWE-770 CVE-2025-61728: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file i archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
nvd
CVE-2022-29526P4MEDIUMCVSS 5.3fixed in 1.17.10≥ 1.18.0, < 1.18.22022-06-23
CVE-2022-29526 [MEDIUM] CWE-269 CVE-2022-29526: Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a no Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
nvd
CVE-2020-24553P4MEDIUMCVSS 6.1fixed in 1.14.8≥ 1.15.0, < 1.15.12020-09-02
CVE-2020-24553 [MEDIUM] CWE-79 CVE-2020-24553: Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI h Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
nvd
CVE-2026-39826P4MEDIUMCVSS 6.1fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-39826 [MEDIUM] CWE-116 CVE-2026-39826: If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
nvd
CVE-2026-39817P4MEDIUMCVSS 5.9fixed in 1.25.10≥ 1.26.0, < 1.26.32026-05-07
CVE-2026-39817 [MEDIUM] CWE-787 CVE-2026-39817: The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
nvd
CVE-2025-58185P4MEDIUMCVSS 5.3fixed in 1.24.8≥ 1.25.0, < 1.25.22025-10-29
CVE-2025-58185 [MEDIUM] CWE-770 CVE-2025-58185: Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exh Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
nvd
Golang Go vulnerabilities | cvebase