Total
135 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58187 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. | |||||
| CVE-2025-58188 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. | |||||
| CVE-2025-58189 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. | |||||
| CVE-2025-61723 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. | |||||
| CVE-2025-61724 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. | |||||
| CVE-2025-47912 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. | |||||
| CVE-2025-58185 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. | |||||
| CVE-2025-47906 | 1 Golang | 1 Go | 2026-01-27 | N/A | 6.5 MEDIUM |
| If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | |||||
| CVE-2025-61729 | 1 Golang | 1 Go | 2025-12-19 | N/A | 7.5 HIGH |
| Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. | |||||
| CVE-2025-61727 | 1 Golang | 1 Go | 2025-12-18 | N/A | 6.5 MEDIUM |
| An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | |||||
| CVE-2024-3566 | 7 Golang, Haskell, Microsoft and 4 more | 7 Go, Process Library, Windows and 4 more | 2025-11-18 | N/A | 9.8 CRITICAL |
| A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | |||||
| CVE-2023-44487 | 32 Akka, Amazon, Apache and 29 more | 313 Http Server, Opensearch Data Prepper, Apisix and 310 more | 2025-11-07 | N/A | 7.5 HIGH |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |||||
| CVE-2020-0601 | 2 Golang, Microsoft | 14 Go, Windows, Windows 10 1507 and 11 more | 2025-10-29 | 5.8 MEDIUM | 8.1 HIGH |
| A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | |||||
| CVE-2022-30631 | 1 Golang | 1 Go | 2025-10-20 | N/A | 7.5 HIGH |
| Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. | |||||
| CVE-2025-0913 | 2 Golang, Microsoft | 2 Go, Windows | 2025-08-08 | N/A | 5.5 MEDIUM |
| os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink. | |||||
| CVE-2023-39323 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2025-06-12 | N/A | 8.1 HIGH |
| Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. | |||||
| CVE-2022-41723 | 1 Golang | 3 Go, Hpack, Http2 | 2025-05-05 | N/A | 7.5 HIGH |
| A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. | |||||
| CVE-2022-41720 | 2 Golang, Microsoft | 2 Go, Windows | 2025-04-23 | N/A | 7.5 HIGH |
| On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. | |||||
| CVE-2017-8932 | 4 Fedoraproject, Golang, Novell and 1 more | 4 Fedora, Go, Suse Package Hub For Suse Linux Enterprise and 1 more | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries. | |||||
| CVE-2015-5739 | 3 Fedoraproject, Golang, Redhat | 6 Fedora, Go, Enterprise Linux Server and 3 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." | |||||