CRITICAL9.8CVE-2026-27143Missing bound checks can lead to memory corruption in safe Go in cmd/compile from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
CRITICAL9.8CVE-2023-24531Output of "go env" does not sanitize values in cmd/go from 0, < 1.21.0-0
CRITICAL9.8CVE-2023-39320Arbitrary code execution via go.mod toolchain directive in cmd/go >= 1.21.0-0, < 1.21.1
CRITICAL9.8CVE-2023-29402Code injection via go command with cgo in cmd/go from 0, < 1.19.10, >= 1.20.0-0, < 1.20.5
CRITICAL9.8CVE-2023-29405Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go from 0, < 1.19.10, >= 1.20.0-0, < 1.20.5
CRITICAL9.8CVE-2023-29404Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go from 0, < 1.19.10, >= 1.20.0-0, < 1.20.5
CRITICAL9.8CVE-2021-38297Buffer overflow in WASM modules in misc/wasm and cmd/link from 0, < 1.16.9, >= 1.17.0-0, < 1.17.2
HIGH8.8CVE-2026-27140Code execution vulnerability in SWIG code generation in cmd/go from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
>= 1.24.0-0, < 1.24.0-rc.2
HIGH8.6CVE-2025-61732Potential code smuggling via doc comments in cmd/cgo from 0, < 1.24.13, >= 1.25.0-0, < 1.25.7
HIGH8.6CVE-2025-4674Unexpected command execution in untrusted VCS repositories in cmd/go from 0, < 1.23.11, >= 1.24.0-0, < 1.24.5
HIGH8.1CVE-2023-39323Arbitrary code execution during build via line directives in cmd/go from 0, < 1.20.9, >= 1.21.0-0, < 1.21.2
HIGH7.8CVE-2025-61731Arbitrary file write using cgo pkg-config directive in cmd/go from 0, < 1.24.12, >= 1.25.0, < 1.25.6
HIGH7.5CVE-2026-42501Malicious module proxy can bypass checksum database in cmd/go from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
HIGH7.5CVE-2025-22867Arbitrary code execution during build on darwin in cmd/go >= 1.24.0-rc.2, < 1.24.0-rc.3
HIGH7.5CVE-2023-45285Command 'go get' may unexpectedly fallback to insecure git in cmd/go from 0, < 1.20.12, >= 1.21.0-0, < 1.21.5
HIGH7.5CVE-2022-23773Incorrect access control in the go command in cmd/go/internal/modfetch from 0, < 1.16.14, >= 1.17.0-0, < 1.17.7
HIGH7.5CVE-2020-28367Arbitrary code execution via the go command with cgo in cmd/go from 0, < 1.14.12, >= 1.15.0-0, < 1.15.5
HIGH7.5CVE-2020-28366Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo from 0, < 1.14.12, >= 1.15.0-0, < 1.15.5
HIGH7.5CVE-2021-3115Arbitrary code injection via the go command with cgo on Windows in cmd/go from 0, < 1.14.14, >= 1.15.0-0, < 1.15.7
HIGH7.1CVE-2026-27144Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
HIGH7.0CVE-2025-68119Unexpected code execution when invoking toolchain in cmd/go >= 1.25.0, < 1.25.6
MEDIUM6.4CVE-2024-24787Arbitrary code execution during build on Darwin in cmd/go from 0, < 1.21.10, >= 1.22.0-0, < 1.22.3
MEDIUM5.9CVE-2026-39817Invoking "go tool pack" does not sanitize output paths in cmd/go from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
MEDIUM5.3CVE-2026-39819Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
from 0, < 1.9.5, >= 1.10.0-0, < 1.10.1
from 0, < 1.8.7, >= 1.9.0-0, < 1.9.4
from 0, < 1.8.4, >= 1.9.0-0, < 1.9.1
—CVE-2018-16873Remote command execution via "go get" with "-u" flag in cmd/go from 0, < 1.10.6, >= 1.11.0-0, < 1.11.3
from 0, < 1.10.6, >= 1.11.0-0, < 1.11.3