CVE-2026-42507

MEDIUM5.3EPSS 0.03%

Arbitrary inputs are included in errors without any escaping in net/textproto

發布日:2026/6/2修改日:2026/6/2

也稱為:GO-2026-5039

描述

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

受影響套件(1)

Go/stdlibfrom 0, < 1.25.11, >= 1.26.0-0, < 1.26.4

CVSS 分數

來源	版本	嚴重程度	向量
nvd	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

參考連結(3)

PATCHhttps://go.dev/cl/777060
REPORThttps://go.dev/issue/79346
WEBhttps://groups.google.com/g/golang-announce/c/tKs3rmcBcKw