What is CVE-2026-42503?

CVE-2026-42503 is a high-severity vulnerability in Golang.org/x/tools Golang.org/x/tools/gopls, classified under CWE-1327. CVSS score: 8.8/10. Published 2026-05-06.

How severe is CVE-2026-42503?

High severity. CVSS v3 base score is 8.8 out of 10.

Vulnerability in Golang.org/x/tools Golang.org/x/tools/gopls

CVE-2026-42503

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result…

EPSS: 0.000 (7.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Golang.org/x/tools Golang.org/x/tools/gopls — versions 0.0.0

Weakness classification (CWE)

CWE-1327

References

security@golang.org
security@golang.org

Frequently asked questions

What is CVE-2026-42503?: CVE-2026-42503 is a high-severity vulnerability in Golang.org/x/tools Golang.org/x/tools/gopls, classified under CWE-1327. CVSS score: 8.8/10. Published 2026-05-06.
How severe is CVE-2026-42503?: High severity. CVSS v3 base score is 8.8 out of 10.