Golang Go
28 CVEs affecting Golang Go. Latest disclosed: 2026-05-07. Critical: 7, High: 13.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-68121 | Critical | 10.0 | 2026-02-05 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed han… |
CVE-2020-29509 | Critical | 9.8 | 2020-12-14 | The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which… |
CVE-2020-29511 | Critical | 9.8 | 2020-12-14 | The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which al… |
CVE-2020-29510 | Critical | 9.8 | 2020-12-14 | The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows… |
CVE-2015-5740 | Critical | 9.8 | 2017-10-18 | The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smu… |
CVE-2015-5739 | Critical | 9.8 | 2017-10-18 | The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP requ… |
CVE-2017-15041 | Critical | 9.8 | 2017-10-05 | Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg… |
CVE-2016-5386 | High | 8.1 | 2016-07-19 | The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications… |
CVE-2016-3958 | High | 7.8 | 2016-05-23 | Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the cu… |
CVE-2026-42501 | High | 7.5 | 2026-05-07 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affec… |
CVE-2026-42499 | High | 7.5 | 2026-05-07 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. |
CVE-2026-39836 | High | 7.5 | 2026-05-07 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). |
CVE-2026-39820 | High | 7.5 | 2026-05-07 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. |
CVE-2026-33814 | High | 7.5 | 2026-05-07 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a va… |
CVE-2026-33811 | High | 7.5 | 2026-05-07 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. |
CVE-2023-44487 | High | 7.5 | 2023-10-10 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the w… |
CVE-2017-1000098 | High | 7.5 | 2017-10-05 | The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It… |
CVE-2017-1000097 | High | 7.5 | 2017-10-05 | On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not… |
CVE-2016-3959 | High | 7.5 | 2016-05-23 | The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which… |
CVE-2015-8618 | High | 7.5 | 2016-01-27 | The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier… |