Vulnerability-Lookup

SUSE-SU-2026:21200-1

Vulnerability from csaf_suse - Published: 2026-04-16 07:24 - Updated: 2026-04-16 07:24

Summary

Security update for go1.25

Severity

Moderate

Notes

Title of the patch: Security update for go1.25

Description of the patch: This update for go1.25 fixes the following issues: Update to go1.25.8 (bsc#1244485): - CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264). - CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268). - CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265). Changelog: * go#77253 cmd/compile: miscompile of global array initialization * go#77406 os: Go 1.25.x regression on RemoveAll for windows * go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd * go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in pkg-config * go#77531 net/smtp: expiry date of localhostCert for testing is too short

Patchnames: SUSE-SLES-16.0-511

CVE-2026-25679

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27139

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27142

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-security-upd…	self
	https://bugzilla.suse.com/1244485	self
	https://bugzilla.suse.com/1259264	self
	https://bugzilla.suse.com/1259265	self
	https://bugzilla.suse.com/1259268	self
	https://www.suse.com/security/cve/CVE-2026-25679/	self
	https://www.suse.com/security/cve/CVE-2026-27139/	self
	https://www.suse.com/security/cve/CVE-2026-27142/	self
	https://www.suse.com/security/cve/CVE-2026-25679	external
	https://bugzilla.suse.com/1259264	external
	https://www.suse.com/security/cve/CVE-2026-27139	external
	https://bugzilla.suse.com/1259268	external
	https://www.suse.com/security/cve/CVE-2026-27142	external
	https://bugzilla.suse.com/1259265	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for go1.25",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for go1.25 fixes the following issues:\n\nUpdate to go1.25.8 (bsc#1244485):\n\n- CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).\n- CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).\n- CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).\n\nChangelog:\n\n* go#77253 cmd/compile: miscompile of global array initialization\n* go#77406 os: Go 1.25.x regression on RemoveAll for windows\n* go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd\n* go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in\n  pkg-config\n* go#77531 net/smtp: expiry date of localhostCert for testing is too short\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLES-16.0-511",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21200-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:21200-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621200-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:21200-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025512.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1244485",
        "url": "https://bugzilla.suse.com/1244485"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1259264",
        "url": "https://bugzilla.suse.com/1259264"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1259265",
        "url": "https://bugzilla.suse.com/1259265"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1259268",
        "url": "https://bugzilla.suse.com/1259268"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-25679 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-25679/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27139 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27139/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27142 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27142/"
      }
    ],
    "title": "Security update for go1.25",
    "tracking": {
      "current_release_date": "2026-04-16T07:24:47Z",
      "generator": {
        "date": "2026-04-16T07:24:47Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:21200-1",
      "initial_release_date": "2026-04-16T07:24:47Z",
      "revision_history": [
        {
          "date": "2026-04-16T07:24:47Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.25-1.25.8-160000.1.1.aarch64",
                "product": {
                  "name": "go1.25-1.25.8-160000.1.1.aarch64",
                  "product_id": "go1.25-1.25.8-160000.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-doc-1.25.8-160000.1.1.aarch64",
                "product": {
                  "name": "go1.25-doc-1.25.8-160000.1.1.aarch64",
                  "product_id": "go1.25-doc-1.25.8-160000.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-libstd-1.25.8-160000.1.1.aarch64",
                "product": {
                  "name": "go1.25-libstd-1.25.8-160000.1.1.aarch64",
                  "product_id": "go1.25-libstd-1.25.8-160000.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-race-1.25.8-160000.1.1.aarch64",
                "product": {
                  "name": "go1.25-race-1.25.8-160000.1.1.aarch64",
                  "product_id": "go1.25-race-1.25.8-160000.1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.25-1.25.8-160000.1.1.ppc64le",
                "product": {
                  "name": "go1.25-1.25.8-160000.1.1.ppc64le",
                  "product_id": "go1.25-1.25.8-160000.1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-doc-1.25.8-160000.1.1.ppc64le",
                "product": {
                  "name": "go1.25-doc-1.25.8-160000.1.1.ppc64le",
                  "product_id": "go1.25-doc-1.25.8-160000.1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-race-1.25.8-160000.1.1.ppc64le",
                "product": {
                  "name": "go1.25-race-1.25.8-160000.1.1.ppc64le",
                  "product_id": "go1.25-race-1.25.8-160000.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.25-1.25.8-160000.1.1.s390x",
                "product": {
                  "name": "go1.25-1.25.8-160000.1.1.s390x",
                  "product_id": "go1.25-1.25.8-160000.1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-doc-1.25.8-160000.1.1.s390x",
                "product": {
                  "name": "go1.25-doc-1.25.8-160000.1.1.s390x",
                  "product_id": "go1.25-doc-1.25.8-160000.1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-race-1.25.8-160000.1.1.s390x",
                "product": {
                  "name": "go1.25-race-1.25.8-160000.1.1.s390x",
                  "product_id": "go1.25-race-1.25.8-160000.1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.25-1.25.8-160000.1.1.x86_64",
                "product": {
                  "name": "go1.25-1.25.8-160000.1.1.x86_64",
                  "product_id": "go1.25-1.25.8-160000.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-doc-1.25.8-160000.1.1.x86_64",
                "product": {
                  "name": "go1.25-doc-1.25.8-160000.1.1.x86_64",
                  "product_id": "go1.25-doc-1.25.8-160000.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-libstd-1.25.8-160000.1.1.x86_64",
                "product": {
                  "name": "go1.25-libstd-1.25.8-160000.1.1.x86_64",
                  "product_id": "go1.25-libstd-1.25.8-160000.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.25-race-1.25.8-160000.1.1.x86_64",
                "product": {
                  "name": "go1.25-race-1.25.8-160000.1.1.x86_64",
                  "product_id": "go1.25-race-1.25.8-160000.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server 16.0",
                  "product_id": "SUSE Linux Enterprise Server 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-libstd-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-libstd-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-libstd-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-libstd-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-doc-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-doc-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-libstd-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-libstd-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-libstd-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-libstd-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.25-race-1.25.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
        },
        "product_reference": "go1.25-race-1.25.8-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-25679",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-25679"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-25679",
          "url": "https://www.suse.com/security/cve/CVE-2026-25679"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259264 for CVE-2026-25679",
          "url": "https://bugzilla.suse.com/1259264"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-16T07:24:47Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-25679"
    },
    {
      "cve": "CVE-2026-27139",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27139"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27139",
          "url": "https://www.suse.com/security/cve/CVE-2026-27139"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259268 for CVE-2026-27139",
          "url": "https://bugzilla.suse.com/1259268"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-16T07:24:47Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-27139"
    },
    {
      "cve": "CVE-2026-27142",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27142"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27142",
          "url": "https://www.suse.com/security/cve/CVE-2026-27142"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259265 for CVE-2026-27142",
          "url": "https://bugzilla.suse.com/1259265"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:go1.25-race-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-doc-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-libstd-1.25.8-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.aarch64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:go1.25-race-1.25.8-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-16T07:24:47Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-27142"
    }
  ]
}

CVE-2026-25679 (GCVE-0-2026-25679)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-10 13:37

Title

Incorrect parsing of IPv6 host literals in net/url

Summary

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Assigner

References

URL

Tags

	https://go.dev/cl/752180
	https://go.dev/issue/77578
	https://groups.google.com/g/golang-announce/c/Edh…
	https://pkg.go.dev/vuln/GO-2026-4601

Impacted products

	Vendor	Product	Version
	Go standard library	net/url	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Masaki Hara (https://github.com/qnighy) of Wantedly

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T13:36:26.554241Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:37:02.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseHost"
            },
            {
              "name": "JoinPath"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseRequestURI"
            },
            {
              "name": "URL.Parse"
            },
            {
              "name": "URL.UnmarshalBinary"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.211Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/752180"
        },
        {
          "url": "https://go.dev/issue/77578"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4601"
        }
      ],
      "title": "Incorrect parsing of IPv6 host literals in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25679",
    "datePublished": "2026-03-06T21:28:14.211Z",
    "dateReserved": "2026-02-05T01:33:41.943Z",
    "dateUpdated": "2026-03-10T13:37:02.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27142 (GCVE-0-2026-27142)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-16 15:21

Title

URLs in meta content attribute actions are not escaped in html/template

Summary

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

URL

Tags

	https://groups.google.com/g/golang-announce/c/Edh…
	https://go.dev/issue/77954
	https://go.dev/cl/752081
	https://pkg.go.dev/vuln/GO-2026-4603

Impacted products

	Vendor	Product	Version
	Go standard library	html/template	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T15:21:11.058826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T15:21:14.465Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "html/template",
          "product": "html/template",
          "programRoutines": [
            {
              "name": "tTag"
            },
            {
              "name": "escaper.escapeAction"
            },
            {
              "name": "Template.Execute"
            },
            {
              "name": "Template.ExecuteTemplate"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.674Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://go.dev/issue/77954"
        },
        {
          "url": "https://go.dev/cl/752081"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4603"
        }
      ],
      "title": "URLs in meta content attribute actions are not escaped in html/template"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27142",
    "datePublished": "2026-03-06T21:28:14.674Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-03-16T15:21:14.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27139 (GCVE-0-2026-27139)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-09 14:53

Title

FileInfo can escape from a Root in os

Summary

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Severity ?

2.5 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-363 - Race Condition Enabling Link Following

Assigner

References

URL

Tags

	https://groups.google.com/g/golang-announce/c/Edh…
	https://go.dev/issue/77827
	https://go.dev/cl/749480
	https://pkg.go.dev/vuln/GO-2026-4602

Impacted products

	Vendor	Product	Version
	Go standard library	os	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Miloslav Trmač of Red Hat

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.5,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T14:53:55.467850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T14:53:58.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "os",
          "product": "os",
          "programRoutines": [
            {
              "name": "File.ReadDir"
            },
            {
              "name": "File.Readdir"
            },
            {
              "name": "ReadDir"
            },
            {
              "name": "dirFS.ReadDir"
            },
            {
              "name": "rootFS.ReadDir"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Miloslav Trma\u010d of Red Hat"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.451Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://go.dev/issue/77827"
        },
        {
          "url": "https://go.dev/cl/749480"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4602"
        }
      ],
      "title": "FileInfo can escape from a Root in os"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27139",
    "datePublished": "2026-03-06T21:28:14.451Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-03-09T14:53:58.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:21200-1

CVE-2026-25679 (GCVE-0-2026-25679)

CVE-2026-27142 (GCVE-0-2026-27142)

CVE-2026-27139 (GCVE-0-2026-27139)

Tags

Sightings

Nomenclature