go · threatengine.sh

CVE-2026-42501

< 1.25.10

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validat

7.5HIGH

CVE-2026-42499

< 1.25.10

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

7.5HIGH

CVE-2026-39836

< 1.25.10

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

7.5HIGH

CVE-2026-39826

< 1.25.10

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII

6.1MEDIUM

CVE-2026-39825

< 1.25.10

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a D

5.3MEDIUM

CVE-2026-39823

< 1.25.10

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the

6.1MEDIUM

CVE-2026-39820

< 1.25.10

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memor

7.5HIGH

CVE-2026-39819

< 1.25.10

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attack

5.3MEDIUM

CVE-2026-39817

< 1.25.10

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize out

5.9MEDIUM

CVE-2026-33814

< 1.25.10

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETT

7.5HIGH

CVE-2026-33811

< 1.25.10

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

7.5HIGH

CVE-2026-33810

>= 1.26.0 and < 1.26.2

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DN

8.2HIGH

CVE-2026-32289

< 1.25.9

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of cont

6.1MEDIUM

CVE-2026-32288

< 1.25.9

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of spar

5.5MEDIUM

CVE-2026-32283

< 1.25.9

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadloc

7.5HIGH

CVE-2026-32282

< 1.25.9

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on th

6.4MEDIUM

CVE-2026-32281

< 1.25.9

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large n

7.5HIGH

CVE-2026-32280

< 1.25.9

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates a

7.5HIGH

CVE-2026-27144

< 1.25.9

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compi

7.1HIGH

CVE-2026-27143

< 1.25.9

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would

9.8CRITICAL

CVE-2026-27140

< 1.25.9

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time

8.8HIGH

CVE-2026-27142

< 1.25.8

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also ha

6.1MEDIUM

CVE-2026-27139

< 1.25.8

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could referen

2.5LOW

CVE-2026-27138

all versions

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has

5.9MEDIUM

CVE-2026-27137

all versions

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common l

7.5HIGH

CVE-2026-25679

< 1.25.8

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

7.5HIGH

CVE-2025-68121

< 1.24.13

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial

10.0CRITICAL

CVE-2025-58190

< 0.45.0

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to de

5.3MEDIUM

CVE-2025-47911

< 0.45.0

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead t

5.3MEDIUM

CVE-2025-61732

< 1.24.13

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

8.6HIGH

CVE-2025-22873

< 1.23.9

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.O

3.8LOW

CVE-2025-68119

< 1.24.12

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) ins

7.0HIGH

CVE-2025-61731

< 1.24.12

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file

7.8HIGH

CVE-2025-61730

< 1.24.12

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Clie

5.3MEDIUM

CVE-2025-61728

< 1.24.12

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This c

6.5MEDIUM

CVE-2025-61726

< 1.24.12

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters

7.5HIGH

CVE-2025-68120

< 0.52.1

To prevent unexpected untrusted code execution, the Visual Studio Code Go extension is now disabled in Restricted Mode.

5.4MEDIUM

CVE-2025-61727

< 1.24.11

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For

6.5MEDIUM

CVE-2025-61729

< 1.24.11

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out

7.5HIGH

CVE-2025-47913

< 0.43.0

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client proce

7.5HIGH

CVE-2025-61724

< 1.24.8

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of l

5.3MEDIUM

CVE-2025-61723

< 1.24.8

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects progra

7.5HIGH

CVE-2025-58189

< 1.24.8

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by t

5.3MEDIUM

CVE-2025-58188

< 1.24.8

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they

7.5HIGH

CVE-2025-58187

< 1.24.9

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to

7.5HIGH

CVE-2025-58185

< 1.24.8

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

5.3MEDIUM

CVE-2025-47912

< 1.24.8

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL.

5.3MEDIUM

CVE-2025-47906

< 1.23.12

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to L

6.5MEDIUM

CVE-2025-47907

< 1.23.12

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the ret

7.0HIGH

CVE-2025-4674

< 1.23.11

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous V

8.6HIGH

CVE-2025-0913

< 1.23.10

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink.

5.5MEDIUM

CVE-2025-22869

< 0.35.0

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the k

7.5HIGH

CVE-2025-22868

< 0.27.0

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

7.5HIGH

CVE-2024-24790

< 1.21.11

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for a

9.8CRITICAL

CVE-2024-24789

< 1.21.11

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. Th

5.5MEDIUM

CVE-2023-45285

< 1.20.12

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is

7.5HIGH

CVE-2023-39326

< 1.20.12

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more byt

5.3MEDIUM

CVE-2023-45287

< 1.20.0

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to

7.5HIGH

CVE-2023-49292

< 2.0.8

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and EC

4.9MEDIUM

CVE-2023-45284

< 1.20.11

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces,

5.3MEDIUM

CVE-2023-45283

< 1.20.11

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Loca

7.5HIGH

CVE-2023-39325

>= 1.20.0 and < 1.20.10

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumpti

7.5HIGH

CVE-2023-44487

< 1.20.10

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2023-39323

< 1.20.9

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler

8.1HIGH

CVE-2023-39322

>= 1.21.0 and < 1.21.1

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicio

7.5HIGH

CVE-2023-39321

>= 1.21.0 and < 1.21.1

Processing an incomplete post-handshake message for a QUIC connection can cause a panic.

7.5HIGH

CVE-2023-39320

>= 1.21.0 and < 1.21.1

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of th

9.8CRITICAL

CVE-2023-39319

< 1.20.8

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS

6.1MEDIUM

CVE-2023-39318

< 1.20.8

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> cont

6.1MEDIUM

CVE-2023-29409

< 1.19.12

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With

5.3MEDIUM

CVE-2023-29406

< 1.19.11

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional

6.5MEDIUM

CVE-2023-29405

< 1.19.10

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module

9.8CRITICAL

CVE-2023-29404

< 1.19.10

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module

9.8CRITICAL

CVE-2023-29403

< 1.19.10

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be danger

7.8HIGH

CVE-2023-29402

< 1.19.10

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go

9.8CRITICAL

CVE-2023-29400

< 1.19.9

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with u

7.3HIGH

CVE-2023-24540

< 1.19.9

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside

9.8CRITICAL

CVE-2023-24539

< 1.19.9

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions

7.3HIGH

CVE-2023-24538

< 1.19.8

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks ar

9.8CRITICAL

CVE-2023-24537

< 1.19.8

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an in

7.5HIGH

CVE-2023-24536

< 1.19.8

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of pa

7.5HIGH

CVE-2023-24534

< 1.19.8

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial

7.5HIGH

CVE-2023-24532

< 1.19.7

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced

5.3MEDIUM

CVE-2022-41725

< 1.19.6

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mi

7.5HIGH

CVE-2022-41724

< 1.19.6

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause

7.5HIGH

CVE-2022-41723

< 1.19.6

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of se

7.5HIGH

CVE-2022-41722

< 1.19.6

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an inv

7.5HIGH

CVE-2022-41717

< 1.18.9

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache

5.3MEDIUM

CVE-2022-41720

< 1.18.9

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to

7.5HIGH

CVE-2022-41716

< 1.18.8

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess

7.5HIGH

CVE-2022-41715

< 1.18.7

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The

7.5HIGH

CVE-2022-2880

< 1.18.7

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters reje

7.5HIGH

CVE-2022-2879

< 1.18.7

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate u

7.5HIGH

CVE-2022-32190

all versions

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "..

7.5HIGH

CVE-2022-27664

< 1.18.6

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can

7.5HIGH

CVE-2022-32189

< 1.17.13

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, po

7.5HIGH

CVE-2022-32148

< 1.17.12

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseP

6.5MEDIUM

CVE-2022-30635

< 1.17.12

Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due t

7.5HIGH

CVE-2022-30633

< 1.17.12

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to sta

7.5HIGH

CVE-2022-30632

< 1.17.12

Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack e

7.5HIGH

CVE-2022-30631

< 1.17.12

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to

7.5HIGH

CVE-2022-30630

< 1.17.12

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustio

7.5HIGH

CVE-2022-30629

< 1.17.11

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can o

3.1LOW

CVE-2022-30580

< 1.17.11

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory n

7.8HIGH

CVE-2022-29804

< 1.17.11

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 o

7.5HIGH

CVE-2022-28131

< 1.17.12

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to

7.5HIGH

CVE-2022-1962

< 1.17.12

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due

5.5MEDIUM

CVE-2022-1705

< 1.17.12

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP

6.5MEDIUM

CVE-2022-30634

< 1.17.11

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by pas

7.5HIGH

CVE-2022-29526

< 1.17.10

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Fa

5.3MEDIUM

CVE-2022-28327

< 1.17.9

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

7.5HIGH

CVE-2022-27536

>= 1.18.0 and < 1.18.1

Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed

7.5HIGH

CVE-2022-24675

< 1.17.9

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

7.5HIGH

CVE-2022-24921

< 1.16.15

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

7.5HIGH

CVE-2022-23806

< 1.16.14

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a

9.1CRITICAL

CVE-2022-23773

< 1.16.14

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This ca

7.5HIGH

CVE-2022-23772

< 1.16.14

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consu

7.5HIGH

CVE-2021-39293

< 1.16.8

In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are pre

7.5HIGH

CVE-2021-44717

< 1.16.12

Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection

4.8MEDIUM

CVE-2021-44716

< 1.16.12

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache

7.5HIGH

CVE-2021-41772

< 1.16.10

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid

7.5HIGH

CVE-2021-41771

< 1.16.10

ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location Afte

7.5HIGH

CVE-2021-38297

< 1.16.9

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, w

9.8CRITICAL

CVE-2021-36221

< 1.15.15

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an Er

5.9MEDIUM

CVE-2021-29923

< 1.17

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situa

7.5HIGH

CVE-2021-33198

< 1.15.13

In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or Unmarsha

7.5HIGH

CVE-2021-33197

< 1.15.13

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation

5.3MEDIUM

CVE-2021-33196

< 1.15.13

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader

7.5HIGH

CVE-2021-33195

< 1.15.13

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a

7.3HIGH

CVE-2021-34558

< 1.15.14

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches t

6.5MEDIUM

CVE-2012-2666

all versions

golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file wit

9.8CRITICAL

CVE-2021-31525

< 1.15.12

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large he

5.9MEDIUM

CVE-2021-33194

<= 1.15.12

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via craft

7.5HIGH

CVE-2021-27919

>= 1.16.0 and < 1.16.1

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open

5.5MEDIUM

CVE-2021-27918

< 1.15.9

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) r

7.5HIGH

CVE-2021-3115

< 1.14.14

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the

7.5HIGH

CVE-2021-3114

< 1.14.14

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of

6.5MEDIUM

CVE-2020-28851

all versions

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u-extension. (x/te

7.5HIGH

CVE-2020-29511

< 1.17

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during token

9.8CRITICAL

CVE-2020-29510

<= 1.15

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenizati

9.8CRITICAL

CVE-2020-29509

< 1.17

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tok

9.8CRITICAL

CVE-2020-28367

< 1.14.12

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malici

7.5HIGH

CVE-2020-28366

< 1.14.12

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a mali

7.5HIGH

CVE-2020-28362

< 1.14.12

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.

7.5HIGH

CVE-2020-24553

< 1.14.8

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Ty

6.1MEDIUM

CVE-2020-16845

< 1.13.15

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via inval

7.5HIGH

CVE-2020-15586

< 1.13.13

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy

5.9MEDIUM

CVE-2020-14039

< 1.13.13

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements

5.3MEDIUM

CVE-2020-7919

>= 1.12 and < 1.12.6

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) all

7.5HIGH

CVE-2015-5741

< 1.4.3

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attacker

9.8CRITICAL

CVE-2020-0601

>= 1.12 and < 1.12.16

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificate

8.1HIGH

CVE-2019-17596

>= 1.12 and < 1.12.11

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public ke

7.5HIGH

CVE-2019-16276

< 1.12.10

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

7.5HIGH

CVE-2019-14809

< 1.11.13

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in so

9.8CRITICAL

CVE-2019-11888

<= 1.12.5

Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows

9.8CRITICAL

CVE-2019-9741

all versions

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstr

6.1MEDIUM

CVE-2019-9634

< 1.11.10

Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection.

7.8HIGH

CVE-2019-6486

< 1.10.8

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of

8.2HIGH

CVE-2018-16875

< 1.10.6

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain ve

5.9MEDIUM

CVE-2018-16874

< 1.10.6

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the imp

8.1HIGH

CVE-2018-16873

< 1.10.6

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -

8.1HIGH

CVE-2018-7187

< 1.9.5

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vc

8.8HIGH

CVE-2018-6574

<= 1.8.6

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during

7.8HIGH

CVE-2015-5740

<= 1.4.2

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attacker

9.8CRITICAL

CVE-2015-5739

<= 1.4.2

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote a

9.8CRITICAL

CVE-2017-15042

<= 1.8.3

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN aut

5.9MEDIUM

CVE-2017-15041

<= 1.8.3

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange t

9.8CRITICAL

CVE-2017-1000098

< 1.6.4

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses th

7.5HIGH

CVE-2017-1000097

< 1.6.4

On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Key

7.5HIGH

CVE-2017-8932

<= 1.7.5

A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before

5.9MEDIUM

CVE-2016-5386

>= 1.0 and < 1.6.3

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does

8.1HIGH

CVE-2016-3959

<= 1.5

The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to th

7.5HIGH

CVE-2016-3958

>= 1.5 and < 1.5.4

Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via

7.8HIGH

CVE-2015-8618

all versions

The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect o

7.5HIGH

CVE-2014-7189

all versions

crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via

golang go