CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-61726 – Memory exhaustion in query parameter parsing in net/url
https://notcve.org/view.php?id=CVE-2025-61726
20 Jan 2026 — The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a memory exhaustion vulnera... • https://go.dev/cl/736712 •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-47912 – Insufficient validation of bracketed IPv6 hostnames in net/url
https://notcve.org/view.php?id=CVE-2025-47912
09 Oct 2025 — The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. • https://go.dev/cl/709857 •