Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-05-18 13:51

Modified

2026-05-02 09:17

Summary

Security fixes for CVE-2025-61727, CVE-2025-61729, CVE-2025-68121, CVE-2026-1229, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-32952, CVE-2026-33186, CVE-2026-33810, CVE-2026-33816, CVE-2026-34986, CVE-2026-39883, ghsa-9jj7-4m8r-rfcm, ghsa-pjcq-xvwq-hhpj applied in versions: 2.4.4-r2, 2.5.0-r0, 2.5.1-r0, 2.5.1-r1, 2.5.1-r2, 2.5.1-r3

Details

Multiple security vulnerabilities affect the openbao-fips package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-61727	WEB
	https://osv.dev/vulnerability/CVE-2025-61729	WEB
	https://osv.dev/vulnerability/CVE-2025-68121	WEB
	https://osv.dev/vulnerability/CVE-2026-1229	WEB
	https://osv.dev/vulnerability/CVE-2026-25679	WEB
	https://osv.dev/vulnerability/CVE-2026-26958	WEB
	https://osv.dev/vulnerability/CVE-2026-27139	WEB
	https://osv.dev/vulnerability/CVE-2026-27142	WEB
	https://osv.dev/vulnerability/CVE-2026-27143	WEB
	https://osv.dev/vulnerability/CVE-2026-27144	WEB
	https://osv.dev/vulnerability/CVE-2026-32280	WEB
	https://osv.dev/vulnerability/CVE-2026-32281	WEB
	https://osv.dev/vulnerability/CVE-2026-32282	WEB
	https://osv.dev/vulnerability/CVE-2026-32283	WEB
	https://osv.dev/vulnerability/CVE-2026-32289	WEB
	https://osv.dev/vulnerability/CVE-2026-32952	WEB
	https://osv.dev/vulnerability/CVE-2026-33186	WEB
	https://osv.dev/vulnerability/CVE-2026-33810	WEB
	https://osv.dev/vulnerability/CVE-2026-33816	WEB
	https://osv.dev/vulnerability/CVE-2026-34986	WEB
	https://osv.dev/vulnerability/CVE-2026-39883	WEB
	https://osv.dev/vulnerability/ghsa-9jj7-4m8r-rfcm	WEB
	https://osv.dev/vulnerability/ghsa-pjcq-xvwq-hhpj	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61727	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-61729	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-68121	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25679	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26958	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27139	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27142	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27143	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27144	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32280	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32281	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32282	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32283	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32289	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32952	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33186	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33810	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33816	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34986	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39883	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "openbao-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.1-r3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the openbao-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-CB00984",
  "modified": "2026-05-02T09:17:37Z",
  "published": "2026-05-18T13:51:23.281032Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-CB00984.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61727"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61729"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-68121"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26958"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27143"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27144"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32280"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32282"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32283"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32289"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32952"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33186"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33810"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33816"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34986"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39883"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9jj7-4m8r-rfcm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-pjcq-xvwq-hhpj"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61727"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32952"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33816"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-61727, CVE-2025-61729, CVE-2025-68121, CVE-2026-1229, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-32952, CVE-2026-33186, CVE-2026-33810, CVE-2026-33816, CVE-2026-34986, CVE-2026-39883, ghsa-9jj7-4m8r-rfcm, ghsa-pjcq-xvwq-hhpj applied in versions: 2.4.4-r2, 2.5.0-r0, 2.5.1-r0, 2.5.1-r1, 2.5.1-r2, 2.5.1-r3",
  "upstream": [
    "CVE-2025-61727",
    "CVE-2025-61729",
    "CVE-2025-68121",
    "CVE-2026-1229",
    "CVE-2026-25679",
    "CVE-2026-26958",
    "CVE-2026-27139",
    "CVE-2026-27142",
    "CVE-2026-27143",
    "CVE-2026-27144",
    "CVE-2026-32280",
    "CVE-2026-32281",
    "CVE-2026-32282",
    "CVE-2026-32283",
    "CVE-2026-32289",
    "CVE-2026-32952",
    "CVE-2026-33186",
    "CVE-2026-33810",
    "CVE-2026-33816",
    "CVE-2026-34986",
    "CVE-2026-39883",
    "ghsa-9jj7-4m8r-rfcm",
    "ghsa-pjcq-xvwq-hhpj"
  ]
}

CVE-2025-61727 (GCVE-0-2025-61727)

Vulnerability from cvelistv5 – Published: 2025-12-03 19:37 – Updated: 2025-12-03 22:06

Title

Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509

Summary

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

References

4 references

URL	Tags
https://go.dev/cl/723900
https://go.dev/issue/76442
https://groups.google.com/g/golang-announce/c/8FJ…
https://pkg.go.dev/vuln/GO-2025-4175

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.24.11 (semver) Affected: 1.25.0 , < 1.25.5 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61727",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-03T22:06:13.958433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-03T22:06:17.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.5",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-03T19:37:15.054Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/723900"
        },
        {
          "url": "https://go.dev/issue/76442"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4175"
        }
      ],
      "title": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61727",
    "datePublished": "2025-12-03T19:37:15.054Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2025-12-03T22:06:17.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61729 (GCVE-0-2025-61729)

Vulnerability from cvelistv5 – Published: 2025-12-02 18:54 – Updated: 2025-12-03 19:37

Title

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Summary

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

4 references

URL	Tags
https://go.dev/cl/725920
https://go.dev/issue/76445
https://groups.google.com/g/golang-announce/c/8FJ…
https://pkg.go.dev/vuln/GO-2025-4155

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.24.11 (semver) Affected: 1.25.0 , < 1.25.5 (semver)

Credits

Philippe Antoine (Catena cyber)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61729",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T21:52:36.341575Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T21:52:58.224Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.VerifyHostname"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.5",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Philippe Antoine (Catena cyber)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-03T19:37:14.903Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/725920"
        },
        {
          "url": "https://go.dev/issue/76445"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4155"
        }
      ],
      "title": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61729",
    "datePublished": "2025-12-02T18:54:10.166Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2025-12-03T19:37:14.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68121 (GCVE-0-2025-68121)

Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-04-29 13:29

Title

Unexpected session resumption in crypto/tls

Summary

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/K09…
https://go.dev/cl/737700
https://go.dev/issue/77217
https://pkg.go.dev/vuln/GO-2026-4337

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/tls	Affected: 0 , < 1.24.13 (semver) Affected: 1.25.0-0 , < 1.25.7 (semver) Affected: 1.26.0-rc.1 , < 1.26.0-rc.3 (semver)

Credits

Coia Prant (github.com/rbqvq) Go Security Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-68121",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T03:55:46.305385Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-295",
                "description": "CWE-295 Improper Certificate Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T13:29:25.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "Conn.handshakeContext"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            },
            {
              "name": "QUICConn.Start"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.13",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.7",
              "status": "affected",
              "version": "1.25.0-0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.0-rc.3",
              "status": "affected",
              "version": "1.26.0-rc.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Coia Prant (github.com/rbqvq)"
        },
        {
          "lang": "en",
          "value": "Go Security Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-05T17:48:44.141Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
        },
        {
          "url": "https://go.dev/cl/737700"
        },
        {
          "url": "https://go.dev/issue/77217"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4337"
        }
      ],
      "title": "Unexpected session resumption in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-68121",
    "datePublished": "2026-02-05T17:48:44.141Z",
    "dateReserved": "2025-12-15T16:48:04.451Z",
    "dateUpdated": "2026-04-29T13:29:25.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1229 (GCVE-0-2026-1229)

Vulnerability from cvelistv5 – Published: 2026-02-24 07:58 – Updated: 2026-02-24 15:10

Title

Incorrect calculation in CIRCL secp384r1 CombinedMult

Summary

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Severity ?

2.9 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

CWE

CWE-682 - Incorrect Calculation

Assigner

cloudflare

References

1 reference

URL	Tags
https://github.com/cloudflare/circl

Impacted products

1 product

Vendor	Product	Version
Cloudflare	CIRCL	Affected: CIRCL up to version 1.6.2 , < 1.6.3 (custom)

Credits

Guido Vranken

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1229",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-24T15:04:09.395394Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-24T15:10:21.738Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Go"
          ],
          "product": "CIRCL",
          "repo": "https://github.com/cloudflare/circl",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThan": "1.6.3",
              "status": "affected",
              "version": "CIRCL up to version 1.6.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Guido Vranken"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThe CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\u003cbr\u003eECDH and ECDSA signing relying on this curve are not affected.\u003c/p\u003e\u003cp\u003eThe bug was fixed in \u003cstrong\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/circl/releases/tag/v1.6.3\"\u003ev1.6.3\u003c/a\u003e\u003c/strong\u003e.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in  v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 ."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-682",
              "description": "CWE-682 Incorrect Calculation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T07:58:54.406Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/circl"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Incorrect calculation in CIRCL secp384r1 CombinedMult",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2026-1229",
    "datePublished": "2026-02-24T07:58:54.406Z",
    "dateReserved": "2026-01-20T13:09:57.206Z",
    "dateUpdated": "2026-02-24T15:10:21.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25679 (GCVE-0-2026-25679)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-10 13:37

Title

Incorrect parsing of IPv6 host literals in net/url

Summary

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Assigner

References

4 references

URL	Tags
https://go.dev/cl/752180
https://go.dev/issue/77578
https://groups.google.com/g/golang-announce/c/Edh…
https://pkg.go.dev/vuln/GO-2026-4601

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/url	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Masaki Hara (https://github.com/qnighy) of Wantedly

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T13:36:26.554241Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:37:02.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseHost"
            },
            {
              "name": "JoinPath"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseRequestURI"
            },
            {
              "name": "URL.Parse"
            },
            {
              "name": "URL.UnmarshalBinary"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.211Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/752180"
        },
        {
          "url": "https://go.dev/issue/77578"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4601"
        }
      ],
      "title": "Incorrect parsing of IPv6 host literals in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25679",
    "datePublished": "2026-03-06T21:28:14.211Z",
    "dateReserved": "2026-02-05T01:33:41.943Z",
    "dateUpdated": "2026-03-10T13:37:02.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26958 (GCVE-0-2026-26958)

Vulnerability from cvelistv5 – Published: 2026-02-19 23:01 – Updated: 2026-02-20 15:39

Title

filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity

Summary

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.

Severity ?

1.7 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

CWE

CWE-665 - Improper Initialization

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/FiloSottile/edwards25519/secur…	x_refsource_CONFIRM
https://github.com/FiloSottile/edwards25519/commi…	x_refsource_MISC
https://github.com/FiloSottile/edwards25519/relea…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
FiloSottile	filippo.io/edwards25519	Affected: < 1.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26958",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T15:27:08.887006Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T15:39:04.748Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filippo.io/edwards25519",
          "vendor": "FiloSottile",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 1.7,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-665",
              "description": "CWE-665: Improper Initialization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T23:01:26.923Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr"
        },
        {
          "name": "https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb"
        },
        {
          "name": "https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-fw7p-63qq-7hpr",
        "discovery": "UNKNOWN"
      },
      "title": "filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26958",
    "datePublished": "2026-02-19T23:01:26.923Z",
    "dateReserved": "2026-02-16T22:20:28.611Z",
    "dateUpdated": "2026-02-20T15:39:04.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27139 (GCVE-0-2026-27139)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-09 14:53

Title

FileInfo can escape from a Root in os

Summary

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Severity ?

2.5 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-363 - Race Condition Enabling Link Following

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/Edh…
https://go.dev/issue/77827
https://go.dev/cl/749480
https://pkg.go.dev/vuln/GO-2026-4602

Impacted products

1 product

Vendor	Product	Version
Go standard library	os	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Miloslav Trmač of Red Hat

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.5,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T14:53:55.467850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T14:53:58.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "os",
          "product": "os",
          "programRoutines": [
            {
              "name": "File.ReadDir"
            },
            {
              "name": "File.Readdir"
            },
            {
              "name": "ReadDir"
            },
            {
              "name": "dirFS.ReadDir"
            },
            {
              "name": "rootFS.ReadDir"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Miloslav Trma\u010d of Red Hat"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.451Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://go.dev/issue/77827"
        },
        {
          "url": "https://go.dev/cl/749480"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4602"
        }
      ],
      "title": "FileInfo can escape from a Root in os"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27139",
    "datePublished": "2026-03-06T21:28:14.451Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-03-09T14:53:58.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27142 (GCVE-0-2026-27142)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-16 15:21

Title

URLs in meta content attribute actions are not escaped in html/template

Summary

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/Edh…
https://go.dev/issue/77954
https://go.dev/cl/752081
https://pkg.go.dev/vuln/GO-2026-4603

Impacted products

1 product

Vendor	Product	Version
Go standard library	html/template	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T15:21:11.058826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T15:21:14.465Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "html/template",
          "product": "html/template",
          "programRoutines": [
            {
              "name": "tTag"
            },
            {
              "name": "escaper.escapeAction"
            },
            {
              "name": "Template.Execute"
            },
            {
              "name": "Template.ExecuteTemplate"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.674Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://go.dev/issue/77954"
        },
        {
          "url": "https://go.dev/cl/752081"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4603"
        }
      ],
      "title": "URLs in meta content attribute actions are not escaped in html/template"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27142",
    "datePublished": "2026-03-06T21:28:14.674Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-03-16T15:21:14.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27143 (GCVE-0-2026-27143)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

Missing bound checks can lead to memory corruption in safe Go in cmd/compile

Summary

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763765
https://go.dev/issue/78333
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4868

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/compile	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev/

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27143",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:50:24.131708Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:17.933Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/compile",
          "product": "cmd/compile",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:57.168Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763765"
        },
        {
          "url": "https://go.dev/issue/78333"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4868"
        }
      ],
      "title": "Missing bound checks can lead to memory corruption in safe Go in cmd/compile"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27143",
    "datePublished": "2026-04-08T01:06:57.168Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-04-13T18:20:17.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27144 (GCVE-0-2026-27144)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile

Summary

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-440 - Expected Behavior Violation

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763764
https://go.dev/issue/78371
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4867

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/compile	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev/

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27144",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:49:47.300247Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:28.098Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/compile",
          "product": "cmd/compile",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-440: Expected Behavior Violation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:56.908Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763764"
        },
        {
          "url": "https://go.dev/issue/78371"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4867"
        }
      ],
      "title": "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27144",
    "datePublished": "2026-04-08T01:06:56.908Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-04-13T18:20:28.098Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2025-61727 (GCVE-0-2025-61727)

CVE-2025-61729 (GCVE-0-2025-61729)

CVE-2025-68121 (GCVE-0-2025-68121)

CVE-2026-1229 (GCVE-0-2026-1229)

CVE-2026-25679 (GCVE-0-2026-25679)

CVE-2026-26958 (GCVE-0-2026-26958)

CVE-2026-27139 (GCVE-0-2026-27139)

CVE-2026-27142 (GCVE-0-2026-27142)

CVE-2026-27143 (GCVE-0-2026-27143)

CVE-2026-27144 (GCVE-0-2026-27144)

Tags

Sightings

Nomenclature