| CVE-2017-15041 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
Remote command execution via "go get" in cmd/go |
| CVE-2023-29405 |
critical |
— |
9.5 |
|
|
|
3y ago |
Critical: go-toolset and golang security update |
| CVE-2023-29402 |
critical |
— |
9.5 |
|
|
|
3y ago |
Critical: go-toolset and golang security update |
| CVE-2023-29404 |
critical |
— |
9.5 |
|
|
|
3y ago |
Critical: go-toolset and golang security update |
| CVE-2026-27144 |
high |
— |
8.0 |
|
|
|
1mo ago |
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves… |
| CVE-2026-27143 |
high |
— |
8.0 |
|
|
|
1mo ago |
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading … |
| CVE-2026-27140 |
high |
— |
8.0 |
|
|
|
1mo ago |
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. |
| CVE-2025-61731 |
high |
— |
8.0 |
|
|
|
2mo ago |
Important: golang security update |
| CVE-2025-61732 |
high |
— |
8.0 |
|
|
|
3mo ago |
Important: golang security update |
| CVE-2025-4674 |
high |
— |
8.0 |
|
|
|
9mo ago |
Important: golang security update |
| CVE-2018-6574 |
high |
— |
8.0 |
|
|
|
4y ago |
Remote command execution via "go get" command with cgo in cmd/go |
| CVE-2018-16873 |
high |
— |
8.0 |
|
|
|
4y ago |
Remote command execution via "go get" with "-u" flag in cmd/go |
| CVE-2018-16874 |
high |
— |
8.0 |
|
|
|
4y ago |
Directory traversal via "go get" command in cmd/go |
| CVE-2020-28367 |
high |
— |
8.0 |
|
|
|
4y ago |
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. |
| CVE-2020-28366 |
high |
— |
8.0 |
|
|
|
4y ago |
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. |
| CVE-2026-42501 |
high |
7.5 |
7.5 |
|
|
|
21d ago |
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module pr… |
| CVE-2026-39817 |
medium |
5.9 |
5.9 |
|
|
|
21d ago |
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" su… |
| CVE-2023-45285 |
medium |
— |
5.5 |
|
|
|
2y ago |
Moderate: golang security update |
| CVE-2022-23773 |
medium |
— |
5.5 |
|
|
|
4y ago |
Moderate: go-toolset:rhel8 security and bug fix update |
| CVE-2021-38297 |
medium |
— |
5.5 |
|
|
|
4y ago |
Moderate: go-toolset:rhel8 security and bug fix update |
| CVE-2021-3115 |
medium |
— |
5.5 |
|
|
|
5y ago |
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update |
| CVE-2026-39819 |
medium |
5.3 |
5.3 |
|
|
|
21d ago |
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one… |