VIR Vulnerability Intelligence Relay

Package impact

golang Go / toolchain

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2017-15041 critical 9.8 9.8 9y ago Remote command execution via "go get" in cmd/go archdebianredhatgolang
CVE-2023-29405 critical 9.5 3y ago Critical: go-toolset and golang security update redhatdebianrockylinuxgolang
CVE-2023-29404 critical 9.5 3y ago Critical: go-toolset and golang security update redhatdebianrockylinuxgolang
CVE-2023-29402 critical 9.5 3y ago Critical: go-toolset and golang security update redhatdebianrockylinuxgolang
CVE-2026-27144 high 8.0 1mo ago The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves… redhatdebiansusegolang+1
CVE-2026-27140 high 8.0 1mo ago SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. redhatdebiansusegolang+1
CVE-2026-27143 high 8.0 1mo ago Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading … redhatdebiansusegolang+1
CVE-2025-61731 high 8.0 2mo ago Important: golang security update rockylinuxredhatdebiansuse+2
CVE-2025-61732 high 8.0 3mo ago Important: golang security update rockylinuxredhatdebiansuse+2
CVE-2025-4674 high 8.0 9mo ago Important: golang security update redhatrockylinuxdebiansuse+2
CVE-2018-6574 high 8.0 4y ago Remote command execution via "go get" command with cgo in cmd/go archgolang
CVE-2018-16873 high 8.0 4y ago Remote command execution via "go get" with "-u" flag in cmd/go archsusegolang
CVE-2018-16874 high 8.0 4y ago Directory traversal via "go get" command in cmd/go archsusegolang
CVE-2020-28367 high 8.0 4y ago Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. archsusedebiangolang
CVE-2020-28366 high 8.0 4y ago Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. archsusedebiangolang
CVE-2026-42501 high 7.5 7.5 21d ago A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module pr… debiansusegolang
CVE-2026-39817 medium 5.9 5.9 21d ago The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" su… debiansusegolanggcp
CVE-2023-45285 medium 5.5 2y ago Moderate: golang security update redhatsusedebiangolang
CVE-2022-23773 medium 5.5 4y ago Moderate: go-toolset:rhel8 security and bug fix update suserockylinuxdebiangolang
CVE-2021-38297 medium 5.5 4y ago Moderate: go-toolset:rhel8 security and bug fix update archsuserockylinuxdebian+1
CVE-2021-3115 medium 5.5 5y ago Moderate: go-toolset:rhel8 security, bug fix, and enhancement update archsusedebianrockylinux+1
CVE-2026-39819 medium 5.3 5.3 21d ago The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one… debiansusegolanggcp
CVE-2025-68119 unknown 4mo ago Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom d… debiansusegolanggcp
CVE-2025-22867 unknown 1y ago On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special value… debiansusegolang
CVE-2024-45340 unknown 1y ago Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless othe… debiansusegolang
CVE-2023-24531 unknown 2y ago Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahav… susedebiangolang
CVE-2024-24787 unknown 2y ago On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. debiansusegolang
CVE-2023-39323 unknown 3y ago Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected … susedebiangolang
CVE-2023-39320 unknown 3y ago Arbitrary code execution via go.mod toolchain directive in cmd/go susegolang
CVE-2018-7187 unknown 4y ago Remote command execution via "go get" command with "-insecure" option in cmd/go golang