| CVE-2025-22874 |
AVG-2896 |
Medium |
Yes |
Certificate verification bypass |
crypto/x509: When VerifyOptions.KeyUsages includes ExtKeyUsageAny, certificate policy validation is unintentionally disabled. This affects certificate... |
| CVE-2025-22873 |
AVG-2878 |
Low |
No |
Directory traversal |
It was possible to improperly access the parent directory of a restricted filesystem root created with os.DirFS. Calling Open("../") on such a filesystem... |
| CVE-2025-4673 |
AVG-2896 |
Medium |
Yes |
Information disclosure |
net/http: Proxy-Authorization and Proxy-Authenticate headers were not cleared during cross-origin redirects, potentially leaking sensitive credentials in... |
| CVE-2021-44717 |
AVG-2617 |
Medium |
Yes |
Incorrect calculation |
A security issue has been found in go before version 1.17.5. When a Go program running on a Unix system is out of file descriptors and calls... |
| CVE-2021-44716 |
AVG-2617 |
Medium |
Yes |
Denial of service |
A security issue has been found in go before version 1.17.5. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. |
| CVE-2021-41772 |
AVG-2527 |
Low |
Yes |
Denial of service |
A security issue has been found in go before version 1.17.3. Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an... |
| CVE-2021-41771 |
AVG-2527 |
Low |
Yes |
Denial of service |
A security issue has been found in go before version 1.17.3. Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols,... |
| CVE-2021-39293 |
AVG-2370 |
Low |
Yes |
Denial of service |
A security issue has been found in go before version 1.17.1. An oversight in the fix for CVE-2021-33196 still allows for an out of memory panic when the... |
| CVE-2021-38297 |
AVG-2454 |
Medium |
Yes |
Arbitrary code execution |
A security issue has been found in go before version 1.17.2. When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large... |
| CVE-2021-36221 |
AVG-2259 |
Low |
Yes |
Denial of service |
A security issue has been found in Go before version 1.16.7. A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with... |
| CVE-2021-34558 |
AVG-2147 |
Low |
Yes |
Denial of service |
A security issue has been found in Go before version 1.16.6. crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated... |
| CVE-2021-33198 |
AVG-2006 |
Low |
Yes |
Denial of service |
A security issue has been found in Go before version 1.16.5. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable... |
| CVE-2021-33197 |
AVG-2006 |
Medium |
Yes |
Url request injection |
A security issue has been found in Go before version 1.16.5. ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers,... |
| CVE-2021-33196 |
AVG-2006 |
Low |
Yes |
Denial of service |
A security issue has been found in Go before version 1.16.5. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it... |
| CVE-2021-33195 |
AVG-2006 |
Medium |
Yes |
Insufficient validation |
A security issue has been found in Go before version 1.16.5. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their... |
| CVE-2021-31525 |
AVG-1927 |
Low |
Yes |
Denial of service |
A security issue has been found in Go before version 1.16.4. ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very... |
| CVE-2021-29923 |
AVG-1357 |
Medium |
Yes |
Access restriction bypass |
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to... |
| CVE-2021-27919 |
AVG-1668 |
Low |
No |
Denial of service |
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in... |
| CVE-2021-27918 |
AVG-1668 |
Low |
No |
Denial of service |
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle... |
| CVE-2021-3115 |
AVG-1481 |
Medium |
No |
Arbitrary command execution |
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The go command may execute arbitrary code at build time when using cgo on... |
| CVE-2021-3114 |
AVG-1481 |
Low |
No |
Incorrect calculation |
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The P224() Curve implementation can in rare circumstances generate incorrect... |
| CVE-2020-29511 |
AVG-1357 |
Medium |
No |
Incorrect calculation |
Go's encoding/xml handles namespace prefixes on XML elements in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and... |
| CVE-2020-29510 |
AVG-1357 |
Medium |
Yes |
Incorrect calculation |
Go's encoding/xml handles XML directives in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and xml.Encoder... |
| CVE-2020-29509 |
AVG-1357 |
Medium |
Yes |
Incorrect calculation |
Go's encoding/xml handles namespace prefixes on XML attributes in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and... |
| CVE-2020-28367 |
AVG-1278 |
High |
Yes |
Arbitrary code execution |
A flaw was found in go before 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on... |
| CVE-2020-28366 |
AVG-1278 |
High |
Yes |
Arbitrary code execution |
A flaw was found in go beforer 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get... |
| CVE-2020-28362 |
AVG-1278 |
Low |
No |
Denial of service |
A flaw was found in go before 1.15.5 where a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)... |
| CVE-2020-24553 |
AVG-1215 |
Medium |
Yes |
Cross-site scripting |
In Go versions before 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would... |
| CVE-2019-17596 |
AVG-1051 |
Medium |
Yes |
Denial of service |
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,... |
| CVE-2019-16276 |
AVG-1050 |
High |
Yes |
Access restriction bypass |
net/http (through net/textproto) in Go before 1.12.0 and 1.13.1 used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in... |
| CVE-2019-14809 |
AVG-1021 |
Medium |
Yes |
Insufficient validation |
An issue has been found in Go before 1.12.8, where url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes... |
| CVE-2019-9514 |
AVG-1021 |
Medium |
Yes |
Denial of service |
An issue has been found in several HTTP/2 implementations, where the attacker opens a number of streams and sends an invalid request over each stream that... |
| CVE-2019-9512 |
AVG-1021 |
Medium |
Yes |
Denial of service |
An issue has been found in several HTTP/2 implementations, where the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal... |
| CVE-2019-6486 |
AVG-859 |
Medium |
Yes |
Private key recovery |
Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker... |
| CVE-2018-16875 |
AVG-835 |
Medium |
Yes |
Denial of service |
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might... |
| CVE-2018-16874 |
AVG-835 |
High |
Yes |
Directory traversal |
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go... |
| CVE-2018-16873 |
AVG-835 |
High |
Yes |
Arbitrary command execution |
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path... |
| CVE-2018-6574 |
AVG-606 |
High |
Yes |
Arbitrary code execution |
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by... |
| CVE-2017-1000098 |
AVG-433 |
High |
Yes |
Denial of service |
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit.... |
| CVE-2017-15041 |
AVG-442 |
High |
Yes |
Arbitrary command execution |
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that... |