Medium severity5.9NVD Advisory· Published May 7, 2026· Updated May 13, 2026
CVE-2026-39817
CVE-2026-39817
Description
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- go.dev/cl/767520nvdPatch
- pkg.go.dev/vuln/GO-2026-4979nvdVendor Advisory
- go.dev/issue/78778nvdIssue Tracking
- groups.google.com/g/golang-announce/c/qcCIEXso47MnvdIssue TrackingMailing List
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026