VYPR

Vendor CVEs

Golang

All CVEs

105 total · sorted by risk
  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2026-46595CriMay 22, 2026
    risk 0.58cvss 10.0epss 0.00

    Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

  • CVE-2025-68121CriFeb 5, 2026
    risk 0.58cvss 10.0epss 0.01

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and…

  • CVE-2026-27143CriApr 8, 2026
    risk 0.57cvss 9.8epss 0.01

    Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

  • CVE-2015-5740CriOct 18, 2017
    risk 0.57cvss 9.8epss 0.04

    The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.

  • CVE-2015-5739CriOct 18, 2017
    risk 0.57cvss 9.8epss 0.10

    The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."

  • CVE-2017-15041CriOct 5, 2017
    risk 0.57cvss 9.8epss 0.09

    Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository…

  • CVE-2026-39821CriMay 22, 2026
    risk 0.55cvss 9.6epss 0.00

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in…

  • CVE-2016-5386HigJul 19, 2016
    risk 0.53cvss 8.1epss 0.05

    The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to…

  • CVE-2026-42508CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

  • CVE-2026-39834CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent…

  • CVE-2026-39833CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns…

  • CVE-2026-39832CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client…

  • CVE-2026-39831CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore…

  • CVE-2026-39830CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now…

  • CVE-2024-45337CriDec 12, 2024
    risk 0.52cvss 9.1epss 0.03

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee…

  • CVE-2018-6574HigFeb 7, 2018
    risk 0.51cvss 7.8epss 0.08

    Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

  • CVE-2026-27140HigApr 8, 2026
    risk 0.50cvss 8.8epss 0.01

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2024-45340HigJan 28, 2025
    risk 0.50cvss 8.8epss 0.01

    Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

  • CVE-2016-3959HigMay 23, 2016
    risk 0.49cvss 7.5epss 0.04

    The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that…

  • CVE-2015-8618HigJan 27, 2016
    risk 0.49cvss 7.5epss 0.03

    The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.

  • CVE-2025-47909HigAug 29, 2025
    risk 0.47cvss 7.3epss 0.00

    Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com…

  • CVE-2026-33810HigApr 8, 2026
    risk 0.46cvss 8.2epss 0.00

    When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in…

  • CVE-2017-3204HigApr 4, 2017
    risk 0.46cvss 8.1epss 0.03

    The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

  • CVE-2016-3958HigMay 23, 2016
    risk 0.44cvss 7.8epss 0.00

    Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function.

  • CVE-2026-46601modJun 25, 2026
    risk 0.42cvss 6.5epss 0.00

    golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images

  • CVE-2026-42504HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.01

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-46599HigMay 29, 2026
    risk 0.42cvss 7.5epss 0.00

    The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

  • CVE-2026-46597HigMay 22, 2026
    risk 0.42cvss 7.5epss 0.00

    An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

  • CVE-2026-39829HigMay 22, 2026
    risk 0.42cvss 7.5epss 0.00

    The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated…

  • CVE-2026-42501HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.00

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can…

  • CVE-2026-42499HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39820HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.00

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-33814HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.01

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-33813HigApr 21, 2026
    risk 0.42cvss 7.5epss 0.00

    Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

  • CVE-2026-32283HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32281HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root…

  • CVE-2026-32280HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of…

  • CVE-2026-27137HigMar 6, 2026
    risk 0.42cvss 7.5epss 0.00

    When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

  • CVE-2026-25679HigMar 6, 2026
    risk 0.42cvss 7.5epss 0.01

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-22867HigFeb 6, 2025
    risk 0.42cvss 7.5epss 0.01

    On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

  • CVE-2025-22865HigJan 28, 2025
    risk 0.42cvss 7.5epss 0.01

    Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

  • CVE-2024-34158HigSep 6, 2024
    risk 0.42cvss 7.5epss 0.01

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    risk 0.42cvss 7.5epss 0.01

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-24784HigMar 5, 2024
    risk 0.42cvss 7.5epss 0.01

    The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

  • CVE-2017-1000098HigOct 5, 2017
    risk 0.42cvss 7.5epss 0.02

    The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

  • CVE-2017-1000097HigOct 5, 2017
    risk 0.42cvss 7.5epss 0.01

    On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.

  • CVE-2026-27144HigApr 8, 2026
    risk 0.39cvss 7.1epss 0.00

    The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

Page 1 of 3