| Bug | trixie | Description |
|---|
| CVE-2026-42507 | vulnerable (no DSA) | When returning errors, functions in the net/textproto package would in ... |
| CVE-2026-42504 | vulnerable (no DSA) | Decoding a maliciously-crafted MIME header containing many invalid enc ... |
| CVE-2026-42501 | vulnerable (no DSA) | A malicious module proxy can exploit a flaw in the go command's valida ... |
| CVE-2026-42499 | vulnerable (no DSA) | Pathological inputs could cause DoS through consumePhrase when parsing ... |
| CVE-2026-39826 | vulnerable (no DSA) | If a trusted template author were to write a <script> tag containing a ... |
| CVE-2026-39825 | vulnerable (no DSA) | ReverseProxy can forward queries containing parameters not visible to ... |
| CVE-2026-39823 | vulnerable (no DSA) | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ... |
| CVE-2026-39820 | vulnerable (no DSA) | Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... |
| CVE-2026-39819 | vulnerable (no DSA) | The "go bug" command writes to two files with predictable names in the ... |
| CVE-2026-39817 | vulnerable (no DSA) | The "go tool pack" subcommand (usually used only by the compiler as an ... |
| CVE-2026-33811 | vulnerable (no DSA) | When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ... |
| CVE-2026-32289 | vulnerable (no DSA) | Context was not properly tracked across template branches for JS templ ... |
| CVE-2026-32288 | vulnerable (no DSA) | tar.Reader can allocate an unbounded amount of memory when reading a m ... |
| CVE-2026-32283 | vulnerable (no DSA) | If one side of the TLS connection sends multiple key update messages p ... |
| CVE-2026-32282 | vulnerable (no DSA) | On Linux, if the target of Root.Chmod is replaced with a symlink while ... |
| CVE-2026-32281 | vulnerable (no DSA) | Validating certificate chains which use policies is unexpectedly ineff ... |
| CVE-2026-32280 | vulnerable (no DSA) | During chain building, the amount of work that is done is not correctl ... |
| CVE-2026-27145 | vulnerable (no DSA) | (*x509.Certificate).VerifyHostname previously called matchHostnames in ... |
| CVE-2026-27144 | vulnerable (no DSA) | The compiler is meant to unwrap pointers which are the operands of a m ... |
| CVE-2026-27143 | vulnerable (no DSA) | Arithmetic over induction variables in loops were not correctly checke ... |
| CVE-2026-27142 | vulnerable (no DSA) | Actions which insert URLs into the content attribute of HTML meta tags ... |
| CVE-2026-27140 | vulnerable (no DSA) | SWIG file names containing 'cgo' and well-crafted payloads could lead ... |
| CVE-2026-27139 | vulnerable (no DSA) | On Unix platforms, when listing the contents of a directory using File ... |
| CVE-2025-68121 | vulnerable (no DSA) | During session resumption in crypto/tls, if the underlying Config has ... |
| CVE-2025-68119 | vulnerable (no DSA) | Downloading and building modules with malicious version strings can ca ... |
| CVE-2025-61732 | vulnerable (no DSA) | A discrepancy between how Go and C/C++ comments were parsed allowed fo ... |
| CVE-2025-61731 | vulnerable (no DSA) | Building a malicious file with cmd/go can cause can cause a write to a ... |
| CVE-2025-61730 | vulnerable (no DSA) | During the TLS 1.3 handshake if multiple messages are sent in records ... |
| CVE-2025-61729 | vulnerable (no DSA) | Within HostnameError.Error(), when constructing an error string, there ... |
| CVE-2025-61728 | vulnerable (no DSA) | archive/zip uses a super-linear file name indexing algorithm that is i ... |
| CVE-2025-61727 | vulnerable (no DSA) | An excluded subdomain constraint in a certificate chain does not restr ... |
| CVE-2025-61726 | vulnerable (no DSA) | The net/url package does not set a limit on the number of query parame ... |
| CVE-2025-61725 | vulnerable (no DSA) | The ParseAddress function constructs domain-literal address components ... |
| CVE-2025-61724 | vulnerable (no DSA) | The Reader.ReadResponse function constructs a response string through ... |
| CVE-2025-61723 | vulnerable (no DSA) | The processing time for parsing some invalid inputs scales non-linearl ... |
| CVE-2025-58189 | vulnerable (no DSA) | When Conn.Handshake fails during ALPN negotiation the error contains a ... |
| CVE-2025-58188 | vulnerable (no DSA) | Validating certificate chains which contain DSA public keys can cause ... |
| CVE-2025-58187 | vulnerable (no DSA) | Due to the design of the name constraint checking algorithm, the proce ... |
| CVE-2025-58186 | vulnerable (no DSA) | Despite HTTP headers having a default limit of 1MB, the number of cook ... |
| CVE-2025-58185 | vulnerable (no DSA) | Parsing a maliciously crafted DER payload could allocate large amounts ... |
| CVE-2025-58183 | vulnerable (no DSA) | tar.Reader does not set a maximum size on the number of sparse region ... |
| CVE-2025-47912 | vulnerable (no DSA) | The Parse function permits values other than IPv6 addresses to be incl ... |
| CVE-2025-47907 | vulnerable (no DSA) | Cancelling a query (e.g. by cancelling the context passed to one of th ... |
| CVE-2025-47906 | vulnerable (no DSA) | If the PATH environment variable contains paths which are executables ... |
| CVE-2025-4674 | vulnerable (no DSA) | The go command may execute unexpected commands when operating in untru ... |
| CVE-2024-8244 | vulnerable (no DSA) | The filepath.Walk and filepath.WalkDir functions are documented as not ... |
| Bug | Description |
|---|
| CVE-2026-39836 | The Dial and LookupPort functions panic on Windows when provided with ... |
| CVE-2026-33810 | When verifying a certificate chain containing excluded DNS constraints ... |
| CVE-2026-27138 | Certificate verification can panic when a certificate in the chain has ... |
| CVE-2026-27137 | When verifying a certificate chain which contains a certificate contai ... |
| CVE-2026-25679 | url.Parse insufficiently validated the host/authority component and ac ... |
| CVE-2025-47910 | When using http.CrossOriginProtection, the AddInsecureBypassPattern me ... |
| CVE-2025-22874 | Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsag ... |
| CVE-2025-22873 | It was possible to improperly access the parent directory of an os.Roo ... |
| CVE-2025-22871 | The net/http package improperly accepts a bare LF as a line terminator ... |
| CVE-2025-22870 | Matching of hosts against proxy patterns can improperly treat an IPv6 ... |
| CVE-2025-22867 | On Darwin, building a Go module which contains CGO can trigger arbitra ... |
| CVE-2025-22866 | Due to the usage of a variable time instruction in the assembly implem ... |
| CVE-2025-22865 | Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT ... |
| CVE-2025-4673 | Proxy-Authorization and Proxy-Authenticate headers persisted on cross- ... |
| CVE-2025-0913 | os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and ... |
| CVE-2024-45341 | A certificate with a URI which has a IPv6 address with a zone ID may i ... |
| CVE-2024-45340 | Credentials provided via the new GOAUTH feature were not being properl ... |
| CVE-2024-45336 | The HTTP client drops sensitive headers after following a cross-domain ... |