📦 Go

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it should fail due to certificate authority configuration changes between handshakes. It affects Go applicat...

This vulnerability in Go's net package causes IPv4-mapped IPv6 addresses to be incorrectly classified by IsPrivate, IsLoopback, and similar methods, returning false when they should return true. This ...

CVE-2024-3566 is a command injection vulnerability affecting Windows applications that use CreateProcess function with improper argument quoting. Attackers can execute arbitrary commands with the priv...

CVE-2023-39320 is a critical vulnerability in Go's module system that allows arbitrary code execution when processing malicious go.mod files. It affects Go projects using the toolchain directive intro...

This vulnerability in Go's cgo build system allows malicious Go modules to execute arbitrary code during the build process. Attackers can smuggle dangerous linker flags through LDFLAGS sanitization wh...

This CVE-2023-29402 is a critical code injection vulnerability in Go's cgo build system. It allows attackers to execute arbitrary code during build time when processing untrusted modules with director...

This CVE describes a template injection vulnerability in Go's text/template and html/template packages where certain Unicode whitespace characters aren't properly sanitized in JavaScript contexts. Att...

This vulnerability in Go's elliptic curve cryptography library allows Curve.IsOnCurve to incorrectly return true for invalid field elements. This could enable cryptographic bypass attacks where invali...

This vulnerability allows buffer overflow attacks when Go programs compile WebAssembly (WASM) modules with GOARCH=wasm and GOOS=js. Attackers can exploit this by passing large arguments to functions, ...

This vulnerability in Go programming language allows local privilege escalation through predictable temporary file creation. The dotest() function in debug/gosym/pclntab_test.go creates temporary file...

This vulnerability in Go's encoding/xml package allows attackers to craft XML inputs that behave inconsistently during different processing stages. This can lead to security bypasses, data corruption,...

This vulnerability in Go's encoding/xml package allows attackers to craft XML inputs that behave inconsistently during different processing stages. This can lead to security bypasses, data corruption,...

This vulnerability allows attackers to execute arbitrary code or write arbitrary files when downloading and building Go modules with malicious version strings. It affects systems with Mercurial (hg) o...

This vulnerability allows attackers to write arbitrary content to files they control by exploiting the '#cgo pkg-config:' directive in Go source files. Attackers can use the '--log-file' argument to r...

This vulnerability in Go's net/url package allows attackers to cause denial of service through memory exhaustion by sending HTTP requests with an excessive number of unique query parameters. Any Go ap...

This vulnerability in Go's HostnameError.Error() function allows a malicious certificate to cause excessive resource consumption through unbounded string concatenation. It affects applications using G...

This vulnerability in Go's database/sql package allows race conditions when cancelling queries during parallel database operations. It can cause Scan() methods to return incorrect data from other quer...

This CVE describes a protocol downgrade vulnerability in Go's module fetching system. When using 'go get' with a module ending in '.git', the system may fall back to the insecure 'git://' protocol if ...

This CVE describes a timing side-channel vulnerability in Go's RSA-based TLS key exchange implementation prior to version 1.20. Attackers could potentially recover session key bits by analyzing timing...

CVE-2023-44487 is an HTTP/2 protocol vulnerability that allows attackers to cause denial of service by rapidly resetting streams, consuming server resources. This affects any system using HTTP/2, incl...

This vulnerability in QUIC implementations allows malicious connections to cause unbounded memory growth by sending excessively large post-handshake messages. Systems using affected QUIC libraries or ...

This is a cross-site scripting (XSS) vulnerability in Go's html/template package where angle brackets in CSS contexts aren't properly escaped. It affects Go applications using html/template with untru...

This vulnerability in Go's crypto/elliptic library allows an attacker to cause a panic (crash) by providing a specially crafted long scalar input to the generic P-256 implementation. Affects Go applic...

This vulnerability is a stack overflow in Go's encoding/pem package when processing large PEM data. It allows attackers to cause denial of service or potentially execute arbitrary code by crashing the...

This vulnerability in Go's regexp.Compile function allows attackers to cause a denial of service via stack exhaustion by providing a deeply nested regular expression. It affects Go applications using ...

CVE-2022-23772 is an integer overflow vulnerability in Go's math/big.Rat.SetString function that allows attackers to trigger uncontrolled memory consumption (denial of service) by providing specially ...

This vulnerability in Go's debug/macho package allows attackers to read memory beyond allocated buffer boundaries when parsing Mach-O files. It affects applications using Go's debug/macho package to p...

This vulnerability in Go's archive/zip package allows attackers to cause denial-of-service by triggering a panic when processing specially crafted ZIP archives with manipulated file counts. It affects...

This vulnerability in Go's math/big.Rat package causes a panic (crash) when parsing extremely large exponents in rational number strings. It affects applications using Go's SetString or UnmarshalText ...

This vulnerability in Go's XML encoding package causes an infinite loop when a custom TokenReader returns EOF in the middle of an XML element. This can lead to denial of service by consuming excessive...

This vulnerability in Go's archive/zip package uses an inefficient file name indexing algorithm that can be exploited via specially crafted ZIP archives. Attackers can cause denial of service by forci...

This TLS 1.3 vulnerability in Go's crypto/tls library allows a network-local attacker to inject messages during handshake, potentially causing minor information disclosure when messages span encryptio...

This vulnerability allows certificate authorities to issue certificates with wildcard SANs that bypass excluded subdomain constraints. It affects systems using Go's crypto/x509 package for certificate...

This vulnerability in Go's DER parsing allows an attacker to cause memory exhaustion by sending maliciously crafted DER payloads. It affects applications using Go's crypto/x509 or encoding/asn1 packag...

This vulnerability in Go's LookPath function allows unexpected binary execution when PATH contains executable files instead of directories. Attackers could trick applications into running malicious bi...

This vulnerability involves inconsistent symlink handling in Go's os.OpenFile function when using O_CREATE|O_EXCL flags on Windows versus Unix systems. On Windows, when a dangling symlink (symlink poi...

This vulnerability in Go's archive/zip package allows attackers to create specially crafted ZIP files that behave differently depending on which ZIP implementation processes them. This could enable fi...