CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-39820 – Quadratic string concatentation in consumeComment in net/mail
https://notcve.org/view.php?id=CVE-2026-39820
07 May 2026 — Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. • https://go.dev/cl/759940 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-42501 – Malicious module proxy can bypass checksum database in cmd/go
https://notcve.org/view.php?id=CVE-2026-42501
07 May 2026 — A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the ... • https://go.dev/cl/775321 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-39823 – Bypass of meta content URL escaping causes XSS in html/template
https://notcve.org/view.php?id=CVE-2026-39823
07 May 2026 — CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS. • https://go.dev/cl/769920 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-33811 – Crash when handling long CNAME response in net
https://notcve.org/view.php?id=CVE-2026-33811
07 May 2026 — When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. • https://go.dev/cl/767860 • CWE-415: Double Free •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-39826 – Escaper bypass leads to XSS in html/template
https://notcve.org/view.php?id=CVE-2026-39826
07 May 2026 — If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. • https://go.dev/cl/771180 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2026-39817 – Invoking "go tool pack" does not sanitize output paths in cmd/go
https://notcve.org/view.php?id=CVE-2026-39817
07 May 2026 — The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. • https://go.dev/cl/767520 • CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2026-39819 – Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go
https://notcve.org/view.php?id=CVE-2026-39819
07 May 2026 — The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. • https://go.dev/cl/763882 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-42499 – Quadratic string concatenation in consumePhrase in net/mail
https://notcve.org/view.php?id=CVE-2026-42499
07 May 2026 — Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. • https://go.dev/cl/771520 •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2026-39825 – ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
https://notcve.org/view.php?id=CVE-2026-39825
07 May 2026 — ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter... • https://go.dev/cl/770541 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-39836 – Panic in Dial and LookupPort when handling NUL byte on Windows in net
https://notcve.org/view.php?id=CVE-2026-39836
07 May 2026 — The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). • https://go.dev/cl/775320 • CWE-476: NULL Pointer Dereference •