VYPR

Go

by Golang

Source repositories

CVEs (83)

  • CVE-2024-24785MedMar 5, 2024
    risk 0.28cvss 5.4epss 0.01

    If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

  • CVE-2026-42507MedJun 2, 2026
    risk 0.27cvss 5.3epss 0.00

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42500MedMay 29, 2026
    risk 0.27cvss 5.3epss 0.00

    Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.

  • CVE-2026-39825MedMay 7, 2026
    risk 0.27cvss 5.3epss 0.00

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by…

  • CVE-2026-39819MedMay 7, 2026
    risk 0.27cvss 5.3epss 0.00

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2024-34155MedSep 6, 2024
    risk 0.21cvss 4.3epss 0.01

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2023-45289MedMar 5, 2024
    risk 0.21cvss 4.3epss 0.01

    When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the…

  • CVE-2025-22866MedFeb 6, 2025
    risk 0.19cvss 4.0epss 0.00

    Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow…

  • CVE-2026-27139LowMar 6, 2026
    risk 0.09cvss 2.5epss 0.00

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary…

  • CVE-2025-61728Jan 28, 2026
    risk 0.00cvss epss 0.01

    archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

  • CVE-2025-61726Jan 28, 2026
    risk 0.00cvss epss 0.01

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a…

  • CVE-2025-61730Jan 28, 2026
    risk 0.00cvss epss 0.00

    During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor…

  • CVE-2025-61731Jan 28, 2026
    risk 0.00cvss epss 0.00

    Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker…

  • CVE-2025-68119Jan 28, 2026
    risk 0.00cvss epss 0.00

    Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are…

  • CVE-2012-2666Jul 9, 2021
    risk 0.00cvss epss 0.02

    golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script.

  • CVE-2021-3114Jan 26, 2021
    risk 0.00cvss epss 0.03

    In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

  • CVE-2020-29509Dec 14, 2020
    risk 0.00cvss epss 0.02

    The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected…

  • CVE-2020-29511Dec 14, 2020
    risk 0.00cvss epss 0.02

    The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected…

  • CVE-2020-29510Dec 14, 2020
    risk 0.00cvss epss 0.02

    The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream…

  • CVE-2019-9741Mar 13, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Page 4 of 5