HIGH8.1CVE-2020-0601⚠ KEVCertificate validation bypass on Windows in crypto/x509 >= 1.12.0, < 1.12.16, >= 1.13.0, < 1.13.7
from 0, < 1.20.10, >= 1.21.0-0, < 1.21.3
from 0, < 1.24.13, >= 1.25.0-0, < 1.25.7
CRITICAL9.8CVE-2026-27143Missing bound checks can lead to memory corruption in safe Go in cmd/compile from 0, < 1.25.9, >= 1.26.0, < 1.26.2
CRITICAL9.8CVE-2023-24531Output of "go env" does not sanitize values in cmd/go from 0, < 1.21.0-0
CRITICAL9.8CVE-2024-24790Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip from 0, < 1.21.11, >= 1.22.0-0, < 1.22.4
CRITICAL9.8CVE-2023-39320Arbitrary code execution via go.mod toolchain directive in cmd/go >= 1.21.0, < 1.21.1
CRITICAL9.8CVE-2023-29402Code injection via go command with cgo in cmd/go from 0, < 1.19.10, >= 1.20.0, < 1.20.5
CRITICAL9.8CVE-2023-29405Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go from 0, < 1.19.10, >= 1.20.0, < 1.20.5
CRITICAL9.8CVE-2023-29404Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go from 0, < 1.19.10, >= 1.20.0, < 1.20.5
CRITICAL9.8CVE-2023-24540Improper handling of JavaScript whitespace in html/template from 0, < 1.19.9, >= 1.20.0, < 1.20.4
CRITICAL9.8CVE-2023-24538Backticks not treated as string delimiters in html/template from 0, < 1.19.8, >= 1.20.0, < 1.20.3
CRITICAL9.8CVE-2021-38297Buffer overflow in WASM modules in misc/wasm and cmd/link from 0, < 1.16.9, >= 1.17.0, < 1.17.2
CRITICAL9.8CVE-2020-29509Authentication bypass in github.com/russellhaering/gosaml2 from 0, < 1.17.0
CRITICAL9.1CVE-2025-22871RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency from 0, < 1.23.8, >= 1.24.0-0, < 1.24.2
CRITICAL9.1CVE-2022-23806Incorrect computation for some invalid field elements in crypto/elliptic from 0, < 1.16.14, >= 1.17.0, < 1.17.7
HIGH8.8CVE-2026-27140Code execution vulnerability in SWIG code generation in cmd/go from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
>= 1.24.0-0, < 1.24.0-rc.2
HIGH8.6CVE-2025-61732Potential code smuggling via doc comments in cmd/cgo from 0, < 1.24.13, >= 1.25.0-0, < 1.25.7
HIGH8.6CVE-2025-4674Unexpected command execution in untrusted VCS repositories in cmd/go from 0, < 1.23.11, >= 1.24.0-0, < 1.24.5
HIGH8.2CVE-2026-33810Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509 >= 1.26.0-0, < 1.26.2
HIGH8.1CVE-2023-39323Arbitrary code execution during build via line directives in cmd/go from 0, < 1.20.9, >= 1.21.0, < 1.21.2
HIGH7.8CVE-2025-61731Arbitrary file write using cgo pkg-config directive in cmd/go from 0, < 1.24.12, >= 1.25.0, < 1.25.6
HIGH7.8CVE-2023-29403Unsafe behavior in setuid/setgid binaries in runtime from 0, < 1.19.10, >= 1.20.0, < 1.20.5
HIGH7.8CVE-2022-30580Empty Cmd.Path can trigger unintended binary in os/exec on Windows from 0, < 1.17.11, >= 1.18.0, < 1.18.3
HIGH7.5CVE-2026-42499Quadratic string concatenation in consumePhrase in net/mail from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
HIGH7.5CVE-2026-42501Malicious module proxy can bypass checksum database in cmd/go from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
HIGH7.5CVE-2026-39836Panic in Dial and LookupPort when handling NUL byte on Windows in net from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
HIGH7.5CVE-2026-39820Quadratic string concatentation in consumeComment in net/mail from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
HIGH7.5CVE-2026-33814Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
HIGH7.5CVE-2026-32283Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
HIGH7.5CVE-2026-32280Unexpected work during chain building in crypto/x509 from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
HIGH7.5CVE-2026-25679Incorrect parsing of IPv6 host literals in net/url from 0, < 1.25.8, >= 1.26.0-0, < 1.26.1
HIGH7.5CVE-2026-27137Incorrect enforcement of email constraints in crypto/x509 >= 1.26.0-0, < 1.26.1
HIGH7.5CVE-2025-61726Memory exhaustion in query parameter parsing in net/url from 0, < 1.24.12, >= 1.25.0, < 1.25.6
HIGH7.5CVE-2025-61729Excessive resource consumption when printing error string for host certificate validation in crypto/x509 from 0, < 1.24.11, >= 1.25.0, < 1.25.5
HIGH7.5CVE-2025-58188Panic when validating certificates with DSA public keys in crypto/x509 from 0, < 1.24.8, >= 1.25.0, < 1.25.2
HIGH7.5CVE-2025-61723Quadratic complexity when parsing some invalid inputs in encoding/pem from 0, < 1.24.8, >= 1.25.0, < 1.25.2
HIGH7.5CVE-2025-58187Quadratic complexity when checking name constraints in crypto/x509 from 0, < 1.24.9, >= 1.25.0, < 1.25.3
HIGH7.5CVE-2025-61725Excessive CPU consumption in ParseAddress in net/mail from 0, < 1.24.8, >= 1.25.0, < 1.25.2
HIGH7.5CVE-2025-22874Usage of ExtKeyUsageAny disables policy validation in crypto/x509 >= 1.24.0-0, < 1.24.4
HIGH7.5CVE-2025-22867Arbitrary code execution during build on darwin in cmd/go >= 1.24.0-rc.2, < 1.24.0-rc.3
HIGH7.5CVE-2025-22865ParsePKCS1PrivateKey panic with partial keys in crypto/x509 >= 1.24.0-0, < 1.24.0-rc.2
from 0, < 1.22.7, >= 1.23.0-0, < 1.23.1
HIGH7.5CVE-2024-34156Stack exhaustion in Decoder.Decode in encoding/gob from 0, < 1.22.7, >= 1.23.0-0, < 1.23.1
HIGH7.5CVE-2024-24791Denial of service due to improper 100-continue handling in net/http from 0, < 1.21.12, >= 1.22.0-0, < 1.22.5
HIGH7.5CVE-2024-24784Comments in display names are incorrectly handled in net/mail from 0, < 1.21.8, >= 1.22.0-0, < 1.22.1
HIGH7.5CVE-2023-45285Command 'go get' may unexpectedly fallback to insecure git in cmd/go from 0, < 1.20.12, >= 1.21.0-0, < 1.21.5
HIGH7.5CVE-2023-45287Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel from 0, < 1.20.0
HIGH7.5CVE-2023-45283Insecure parsing of Windows paths with a \??\ prefix in path/filepath from 0, < 1.20.11, >= 1.21.0-0, < 1.21.4
HIGH7.5CVE-2023-39325HTTP/2 rapid reset can cause excessive work in net/http >= 1.20.0, < 1.20.10, >= 1.21.0, < 1.21.3
HIGH7.5CVE-2023-39321Panic when processing post-handshake message on QUIC connections in crypto/tls >= 1.21.0, < 1.21.1
HIGH7.5CVE-2023-39322Memory exhaustion in QUIC connection handling in crypto/tls >= 1.21.0, < 1.21.1
from 0, < 1.19.8, >= 1.20.0, < 1.20.3
HIGH7.5CVE-2023-24536Excessive resource consumption in net/http, net/textproto and mime/multipart from 0, < 1.19.8, >= 1.20.0, < 1.20.3
HIGH7.5CVE-2023-24534Excessive memory allocation in net/http and net/textproto from 0, < 1.19.8, >= 1.20.0, < 1.20.3
from 0, < 1.19.6, >= 1.20.0, < 1.20.1
HIGH7.5CVE-2022-41723Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net from 0, < 1.19.6, >= 1.20.0, < 1.20.1
from 0, < 1.19.6, >= 1.20.0, < 1.20.1
from 0, < 1.19.6, >= 1.20.0, < 1.20.1
HIGH7.5CVE-2022-41720Restricted file access on Windows in os and net/http from 0, < 1.18.9, >= 1.19.0, < 1.19.4
HIGH7.5CVE-2022-41716Unsanitized NUL in environment variables on Windows in syscall and os/exec from 0, < 1.18.8, >= 1.19.0, < 1.19.3
HIGH7.5CVE-2022-2880Incorrect sanitization of forwarded query parameters in net/http/httputil from 0, < 1.18.7, >= 1.19.0, < 1.19.2
HIGH7.5CVE-2022-41715Memory exhaustion when compiling regular expressions in regexp/syntax from 0, < 1.18.7, >= 1.19.0, < 1.19.2
HIGH7.5CVE-2022-2879Unbounded memory consumption when reading headers in archive/tar from 0, < 1.18.7, >= 1.19.0, < 1.19.2
HIGH7.5CVE-2022-32190Failure to strip relative path components in net/url >= 1.19.0-0, < 1.19.1
HIGH7.5CVE-2022-27664Denial of service in net/http and golang.org/x/net/http2 from 0, < 1.18.6, >= 1.19.0, < 1.19.1
HIGH7.5CVE-2022-32189Panic when decoding Float and Rat types in math/big from 0, < 1.17.13, >= 1.18.0, < 1.18.5
HIGH7.5CVE-2022-23773Incorrect access control in the go command in cmd/go/internal/modfetch from 0, < 1.16.14, >= 1.17.0, < 1.17.7
HIGH7.5CVE-2022-29804Path traversal via Clean on Windows in path/filepath from 0, < 1.17.11, >= 1.18.0, < 1.18.3
HIGH7.5CVE-2020-28367Arbitrary code execution via the go command with cgo in cmd/go from 0, < 1.14.12, >= 1.15.0, < 1.15.5
HIGH7.5CVE-2020-28366Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo from 0, < 1.14.12, >= 1.15.0, < 1.15.5
HIGH7.5CVE-2022-30630Stack exhaustion in Glob on certain paths in io/fs from 0, < 1.17.12, >= 1.18.0, < 1.18.4
HIGH7.5CVE-2022-30635Stack exhaustion when decoding certain messages in encoding/gob from 0, < 1.17.12, >= 1.18.0, < 1.18.4
HIGH7.5CVE-2022-30631Stack exhaustion when reading certain archives in compress/gzip from 0, < 1.17.12, >= 1.18.0, < 1.18.4
HIGH7.5CVE-2022-30633Stack exhaustion when unmarshaling certain documents in encoding/xml from 0, < 1.17.12, >= 1.18.0, < 1.18.4
HIGH7.5CVE-2022-30632Stack exhaustion on crafted paths in path/filepath from 0, < 1.17.12, >= 1.18.0, < 1.18.4
HIGH7.5CVE-2022-28131Stack exhaustion from deeply nested XML documents in encoding/xml from 0, < 1.17.12, >= 1.18.0, < 1.18.4
HIGH7.5CVE-2022-30634Indefinite hang with large buffers on Windows in crypto/rand from 0, < 1.17.11, >= 1.18.0, < 1.18.3
HIGH7.5CVE-2021-33194Infinite loop when parsing inputs in golang.org/x/net/html from 0, < 1.15.12, >= 1.16.0, < 1.16.4
HIGH7.5CVE-2022-24921Stack exhaustion when compiling deeply nested expressions in regexp from 0, < 1.16.15, >= 1.17.0, < 1.17.8
from 0, < 1.16.14, >= 1.17.0, < 1.17.7
HIGH7.5CVE-2022-27536Panic during certificate parsing on Darwin in crypto/x509 >= 1.18.0, < 1.18.1
HIGH7.5CVE-2022-28327Panic due to large inputs affecting P-256 curves in crypto/elliptic from 0, < 1.17.9, >= 1.18.0, < 1.18.1
HIGH7.5CVE-2022-24675Stack overflow from a large amount of PEM data in encoding/pem from 0, < 1.17.9, >= 1.18.0, < 1.18.1
from 0, < 1.16.8, >= 1.17.0, < 1.17.1
HIGH7.5CVE-2021-27918Infinite loop when decoding inputs in encoding/xml from 0, < 1.15.9, >= 1.16.0, < 1.16.1
from 0, < 1.15.13, >= 1.16.0, < 1.16.5
from 0, < 1.15.13, >= 1.16.0, < 1.16.5
HIGH7.5CVE-2021-41772Panic when opening certain archives in archive/zip from 0, < 1.16.10, >= 1.17.0, < 1.17.3
from 0, < 1.16.10, >= 1.17.0, < 1.17.3
HIGH7.5CVE-2021-44716Unbounded memory growth in net/http and golang.org/x/net/http2 from 0, < 1.16.12, >= 1.17.0, < 1.17.5
from 0, < 1.13.15, >= 1.14.0, < 1.14.7
HIGH7.5CVE-2021-29923Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) al… from 0, < 1.17.0
HIGH7.5CVE-2020-7919Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte >= 1.12.0, < 1.12.6, >= 1.13.0, < 1.13.7
HIGH7.5CVE-2020-28362Panic during division of very large numbers in math/big from 0, < 1.14.12, >= 1.15.0, < 1.15.5
HIGH7.5CVE-2021-3115Arbitrary code injection via the go command with cgo on Windows in cmd/go from 0, < 1.14.14, >= 1.15.0, < 1.15.7
HIGH7.5CVE-2020-28851In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. >= 1.15.4, < 1.15.5
HIGH7.3CVE-2023-29400Improper handling of empty HTML attributes in html/template from 0, < 1.19.9, >= 1.20.0, < 1.20.4
HIGH7.3CVE-2023-24539Improper sanitization of CSS values in html/template from 0, < 1.19.9, >= 1.20.0, < 1.20.4
HIGH7.3CVE-2021-33195Improper sanitization when resolving values from DNS in net from 0, < 1.15.13, >= 1.16.0, < 1.16.5
HIGH7.1CVE-2026-27144Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile from 0, < 1.25.9, >= 1.26.0, < 1.26.2
HIGH7.0CVE-2025-68119Unexpected code execution when invoking toolchain in cmd/go >= 1.25.0, < 1.25.6
HIGH7.0CVE-2025-47907Incorrect results returned from Rows.Scan in database/sql from 0, < 1.23.12, >= 1.24.0, < 1.24.6
MEDIUM6.8CVE-2025-4673Sensitive headers not cleared on cross-origin redirect in net/http from 0, < 1.23.10, >= 1.24.0-0, < 1.24.4
MEDIUM6.5CVE-2025-61728Excessive CPU consumption when building archive index in archive/zip from 0, < 1.24.12, >= 1.25.0, < 1.25.6
MEDIUM6.5CVE-2025-61727Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 from 0, < 1.24.11, >= 1.25.0, < 1.25.5
MEDIUM6.5CVE-2025-47906Unexpected paths returned from LookPath in os/exec from 0, < 1.23.12, >= 1.24.0, < 1.24.6
MEDIUM6.5CVE-2023-45290Memory exhaustion in multipart form parsing in net/textproto and net/http from 0, < 1.21.8, >= 1.22.0-0, < 1.22.1
MEDIUM6.5CVE-2023-29406Insufficient sanitization of Host header in net/http from 0, < 1.19.11, >= 1.20.0, < 1.20.6
from 0, < 1.17.12, >= 1.18.0, < 1.18.4
MEDIUM6.5CVE-2022-1705Improper sanitization of Transfer-Encoding headers in net/http from 0, < 1.17.12, >= 1.18.0, < 1.18.4
MEDIUM6.5CVE-2021-3114Incorrect operations on the P-224 curve in crypto/elliptic from 0, < 1.14.14, >= 1.15.0, < 1.15.7
from 0, < 1.15.14, >= 1.16.0, < 1.16.6
MEDIUM6.4CVE-2026-32282TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
MEDIUM6.4CVE-2024-24787Arbitrary code execution during build on Darwin in cmd/go from 0, < 1.21.10, >= 1.22.0-0, < 1.22.3
from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
MEDIUM6.1CVE-2026-39823Bypass of meta content URL escaping causes XSS in html/template from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
MEDIUM6.1CVE-2026-32289JsBraceDepth Context Tracking Bugs (XSS) in html/template from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
MEDIUM6.1CVE-2026-27142URLs in meta content attribute actions are not escaped in html/template from 0, < 1.25.8, >= 1.26.0-0, < 1.26.1
MEDIUM6.1CVE-2024-45341Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 from 0, < 1.22.11, >= 1.23.0-0, < 1.23.5, >= 1.24.0-0, < 1.24.0
MEDIUM6.1CVE-2024-45336Sensitive headers incorrectly sent after cross-domain redirect in net/http from 0, < 1.22.11, >= 1.23.0-0, < 1.23.5, >= 1.24.0-0, < 1.24.0
MEDIUM6.1CVE-2023-39319Improper handling of special tags within script contexts in html/template from 0, < 1.20.8, >= 1.21.0, < 1.21.1
MEDIUM6.1CVE-2023-39318Improper handling of HTML-like comments in script contexts in html/template from 0, < 1.20.8, >= 1.21.0, < 1.21.1
MEDIUM6.1CVE-2020-24553Cross-site scripting in net/http/cgi and net/http/fcgi from 0, < 1.14.8, >= 1.15.0, < 1.15.1
MEDIUM5.9CVE-2026-39817Invoking "go tool pack" does not sanitize output paths in cmd/go from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
MEDIUM5.9CVE-2026-27138Panic in name constraint checking for malformed certificates in crypto/x509 >= 1.26.0-0, < 1.26.1
MEDIUM5.9CVE-2024-24788Malformed DNS message can cause infinite loop in net >= 1.22.0-0, < 1.22.3
MEDIUM5.9CVE-2024-24783Verify panics on certificates with an unknown public key algorithm in crypto/x509 from 0, < 1.21.8, >= 1.22.0-0, < 1.22.1
MEDIUM5.9CVE-2021-31525golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion from 0, < 1.15.12, >= 1.16.0, < 1.16.4
from 0, < 1.13.13, >= 1.14.0, < 1.14.5
from 0, < 1.15.15, >= 1.16.0, < 1.16.7
MEDIUM5.6CVE-2020-29511The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization r… from 0, < 1.17.0
MEDIUM5.6CVE-2020-29510The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-… from 0, < 1.15.1
MEDIUM5.5CVE-2026-32288Unbounded allocation for old GNU sparse in archive/tar from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
MEDIUM5.5CVE-2025-0913Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall from 0, < 1.23.10, >= 1.24.0-0, < 1.24.4
MEDIUM5.5CVE-2024-24789Mishandling of corrupt central directory record in archive/zip from 0, < 1.21.11, >= 1.22.0-0, < 1.22.4
MEDIUM5.5CVE-2022-1962Stack exhaustion due to deeply nested types in go/parser from 0, < 1.17.12, >= 1.18.0, < 1.18.4
>= 1.16.0, < 1.16.1
MEDIUM5.4CVE-2025-47910CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http >= 1.25.0, < 1.25.1
MEDIUM5.4CVE-2024-24785Errors returned from JSON marshaling may break template escaping in html/template from 0, < 1.21.8, >= 1.22.0-0, < 1.22.1
MEDIUM5.3CVE-2026-39819Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
MEDIUM5.3CVE-2026-39825ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
MEDIUM5.3CVE-2025-61730Handshake messages may be processed at the incorrect encryption level in crypto/tls from 0, < 1.24.12, >= 1.25.0, < 1.25.6
MEDIUM5.3CVE-2025-61724Excessive CPU consumption in Reader.ReadResponse in net/textproto from 0, < 1.24.8, >= 1.25.0, < 1.25.2
MEDIUM5.3CVE-2025-58186Lack of limit when parsing cookies can cause memory exhaustion in net/http from 0, < 1.24.8, >= 1.25.0, < 1.25.2
MEDIUM5.3CVE-2025-58185Parsing DER payload can cause memory exhaustion in encoding/asn1 from 0, < 1.24.8, >= 1.25.0, < 1.25.2
MEDIUM5.3CVE-2025-47912Insufficient validation of bracketed IPv6 hostnames in net/url from 0, < 1.24.8, >= 1.25.0, < 1.25.2
MEDIUM5.3CVE-2025-58189ALPN negotiation error contains attacker controlled information in crypto/tls from 0, < 1.24.8, >= 1.25.0, < 1.25.2
from 0, < 1.21.9, >= 1.22.0-0, < 1.22.2
MEDIUM5.3CVE-2023-39326Denial of service via chunk extensions in net/http from 0, < 1.20.12, >= 1.21.0-0, < 1.21.5
MEDIUM5.3CVE-2023-45284Incorrect detection of reserved device names on Windows in path/filepath from 0, < 1.20.11, >= 1.21.0-0, < 1.21.4
MEDIUM5.3CVE-2023-29409Large RSA keys can cause high CPU usage in crypto/tls from 0, < 1.19.12, >= 1.20.0, < 1.20.7
MEDIUM5.3CVE-2023-24532Incorrect calculation on P256 curves in crypto/internal/nistec from 0, < 1.19.7, >= 1.20.0, < 1.20.2
MEDIUM5.3CVE-2022-41717Excessive memory growth in net/http and golang.org/x/net/http2 from 0, < 1.18.9, >= 1.19.0, < 1.19.4
MEDIUM5.3CVE-2022-29526golang.org/x/sys/unix has Incorrect privilege reporting in syscall from 0, < 1.17.10, >= 1.18.0, < 1.18.2
MEDIUM5.3CVE-2020-14039Certificate verification error on Windows in crypto/x509 from 0, < 1.13.13, >= 1.14.0, < 1.14.5
MEDIUM5.3CVE-2021-33197Attacker can drop certain headers in net/http/httputil from 0, < 1.15.13, >= 1.16.0, < 1.16.5
from 0, < 1.16.12, >= 1.17.0, < 1.17.5
MEDIUM4.3CVE-2025-58183Unbounded allocation when parsing GNU sparse map in archive/tar from 0, < 1.24.8, >= 1.25.0, < 1.25.2
MEDIUM4.3CVE-2024-34155Stack exhaustion in all Parse functions in go/parser from 0, < 1.22.7, >= 1.23.0-0, < 1.23.1
MEDIUM4.3CVE-2023-45289Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http from 0, < 1.21.8, >= 1.22.0-0, < 1.22.1
MEDIUM4.0CVE-2025-22866Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec from 0, < 1.22.12, >= 1.23.0-0, < 1.23.6, >= 1.24.0-0, < 1.24.0
from 0, < 1.23.9, >= 1.24.0-0, < 1.24.3
LOW3.1CVE-2022-30629Session tickets lack random ticket_age_add in crypto/tls from 0, < 1.17.11, >= 1.18.0, < 1.18.3
from 0, < 1.25.8, >= 1.26.0-0, < 1.26.1