VYPR

Vendor CVEs

GO

All CVEs

32 total · sorted by risk
  • CVE-2024-46957CriSep 25, 2024
    risk 0.64cvss 9.8epss 0.01

    Mellium mellium.im/xmpp 0.0.1 through 0.21.4 allows response spoofing if the implementation uses predictable IDs because the stanza type is not checked. This is fixed in 0.22.0.

  • CVE-2015-5739CriOct 18, 2017
    risk 0.57cvss 9.8epss 0.10

    The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."

  • CVE-2016-5386HigJul 19, 2016
    risk 0.53cvss 8.1epss 0.05

    The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to…

  • CVE-2024-24791HigJul 2, 2024
    risk 0.42cvss 7.5epss 0.01

    The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the…

  • CVE-2026-39817MedMay 7, 2026
    risk 0.31cvss 5.9epss 0.00

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2024-24783MedMar 5, 2024
    risk 0.31cvss 5.9epss 0.01

    Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The…

  • CVE-2026-39825MedMay 7, 2026
    risk 0.27cvss 5.3epss 0.00

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by…

  • CVE-2026-48025Jun 10, 2026
    risk 0.00cvss epss 0.00

    `internal/pki/resolver.go:36-64` constructs a `CAManager` with the plaintext `ed25519.PrivateKey` after unwrapping via the master key; `internal/pki/ca.go:13-16` stores it. Callers at `internal/api/enroll.go:116`, `internal/api/updates.go:297`, and…

  • CVE-2025-61732Feb 5, 2026
    risk 0.00cvss epss 0.00

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2025-61726Jan 28, 2026
    risk 0.00cvss epss 0.02

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a…

  • CVE-2025-61731Jan 28, 2026
    risk 0.00cvss epss 0.01

    Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker…

  • CVE-2023-39326Dec 6, 2023
    risk 0.00cvss epss 0.01

    A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of…

  • CVE-2023-45283Nov 9, 2023
    risk 0.00cvss epss 0.03

    The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For…

  • CVE-2023-29404Jun 8, 2023
    risk 0.00cvss epss 0.02

    The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.…

  • CVE-2023-24536Apr 6, 2023
    risk 0.00cvss epss 0.01

    Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can…

  • CVE-2022-41724Feb 28, 2023
    risk 0.00cvss epss 0.01

    Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which…

  • CVE-2022-41725Feb 28, 2023
    risk 0.00cvss epss 0.01

    A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package…

  • CVE-2022-2880Oct 14, 2022
    risk 0.00cvss epss 0.01

    Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy…

  • CVE-2022-32148Aug 9, 2022
    risk 0.00cvss epss 0.01

    Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the…

  • CVE-2022-1962Aug 9, 2022
    risk 0.00cvss epss 0.01

    Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

  • CVE-2022-30580Aug 9, 2022
    risk 0.00cvss epss 0.01

    Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

  • CVE-2022-1705Aug 9, 2022
    risk 0.00cvss epss 0.01

    Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

  • CVE-2022-30631Aug 9, 2022
    risk 0.00cvss epss 0.02

    Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.

  • CVE-2022-23773Feb 11, 2022
    risk 0.00cvss epss 0.03

    cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

  • CVE-2020-28852Jan 2, 2021
    risk 0.00cvss epss 0.02

    In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

  • CVE-2020-28851Jan 2, 2021
    risk 0.00cvss epss 0.02

    In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

  • CVE-2020-29511Dec 14, 2020
    risk 0.00cvss epss 0.02

    The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected…

  • CVE-2015-5741Feb 8, 2020
    risk 0.00cvss epss 0.03

    The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

  • CVE-2019-14809Aug 13, 2019
    risk 0.00cvss epss 0.08

    net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port…

  • CVE-2019-9741Mar 13, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

  • CVE-2018-16875Dec 14, 2018
    risk 0.00cvss epss 0.06

    The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates…

  • CVE-2012-1398Mar 7, 2012
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the GO WeiboWidget (com.gau.go.launcherex.gowidget.weibowidget) application 2.4 for Android has unknown impact and attack vectors.