CVE-2026-42507

MEDIUM5.3EPSS 0.03%

Arbitrary inputs are included in errors without any escaping in net/textproto

Published: 6/2/2026Modified: 6/2/2026

Also known as:GO-2026-5039

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected packages (1)

Go/stdlibfrom 0, < 1.25.11, >= 1.26.0-0, < 1.26.4

CVSS scores

Source	Version	Severity	Vector
nvd	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (3)

PATCHhttps://go.dev/cl/777060
REPORThttps://go.dev/issue/79346
WEBhttps://groups.google.com/g/golang-announce/c/tKs3rmcBcKw