VYPR

Go

by Golang

Source repositories

CVEs (83)

  • CVE-2026-46599HigMay 29, 2026
    risk 0.42cvss 7.5epss 0.00

    The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

  • CVE-2026-46597HigMay 22, 2026
    risk 0.42cvss 7.5epss 0.00

    An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

  • CVE-2026-39829HigMay 22, 2026
    risk 0.42cvss 7.5epss 0.00

    The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated…

  • CVE-2026-42501HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.00

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can…

  • CVE-2026-42499HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39820HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.00

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-33814HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-32283HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32281HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root…

  • CVE-2026-32280HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of…

  • CVE-2026-27137HigMar 6, 2026
    risk 0.42cvss 7.5epss 0.00

    When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

  • CVE-2026-25679HigMar 6, 2026
    risk 0.42cvss 7.5epss 0.01

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-22867HigFeb 6, 2025
    risk 0.42cvss 7.5epss 0.01

    On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

  • CVE-2025-22865HigJan 28, 2025
    risk 0.42cvss 7.5epss 0.01

    Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

  • CVE-2024-34158HigSep 6, 2024
    risk 0.42cvss 7.5epss 0.01

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    risk 0.42cvss 7.5epss 0.01

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-24784HigMar 5, 2024
    risk 0.42cvss 7.5epss 0.01

    The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

  • CVE-2017-1000098HigOct 5, 2017
    risk 0.42cvss 7.5epss 0.02

    The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

Page 2 of 5