go

Go's encoding/xml handles namespace prefixes on XML elements in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and...

Go's encoding/xml handles XML directives in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and xml.Encoder...

Go's encoding/xml handles namespace prefixes on XML attributes in a way that causes crafted markup to mutate during round-trips through the xml.Decoder and...

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in...

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle...

A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The go command may execute arbitrary code at build time when using cgo on...

A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The P224() Curve implementation can in rare circumstances generate incorrect...

A flaw was found in go before 1.15.5 where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on...

A flaw was found in go beforer 1.15.5  where the go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get...

A flaw was found in go before 1.15.5 where a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)...

In Go versions before 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would...

Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,...

net/http (through net/textproto) in Go before 1.12.0 and 1.13.1 used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in...

An issue has been found in Go before 1.12.8, where url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes...

An issue has been found in several HTTP/2 implementations, where the attacker opens a number of streams and sends an invalid request over each stream that...

An issue has been found in several HTTP/2 implementations, where the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal...

Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker...

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might...

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go...

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path...

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by...

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit....

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that...