Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Go Number Of NVD 140 CRITICAL 16 HIGH 84 MEDIUM 38 LOW 2
URL https://golang.org/
Explanation It is a programming language developed by Google.
It has a simple syntax and can be coded by anyone to look the same.
It has been adopted by many companies because it is good at parallel processing and can perform well on multi-core systems.
Since it is cross-compatible, it can be run in a variety of environments including Windows, Linux, Mac, and Android.

As a result of prioritizing simplicity, there are some disadvantages such as the lack of exception handling (there are alternative functions), which is common in other languages.
This may be implemented in the future.

A major release is made about every 6 months.
If a critical bug or security issue is fixed during the major release, a minor release is made.

The last two major releases are supported and covered.
Since major releases are made about every six months, the major version a year ago will no longer be supported.
Tag
  • BSD License
  • オープンソース

Add Information URL
No Type Name URL
1 https://github.com/golang/go/wiki/Go-Release-Cycle
2 https://golang.org/doc/devel/release.html
3 https://github.com/golang/go/wiki/MinorReleases
4 https://golang.org/security
5 https://golang.org/doc/copyright.html

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
11 New!! Go 1.26 1.26.5 July 7, 2026 Feb. 10, 2026 0 10 8 1
12 go 1.21 1.21.13 Aug. 6, 2024 June 16, 2023 2 15 13 1
13 go 1.20 1.20.7 Aug. 1, 2023 Feb. 1, 2023 6 23 15 1
14 go 1.19 1.19.13 Sept. 6, 2023 Aug. 2, 2022 6 30 16 1
15 Go 1.18 1.18.10 Jan. 10, 2023 March 15, 2022 6 42 20 2
16 Go 1.17 1.17.13 Aug. 1, 2022 Aug. 16, 2021 8 48 21 2
17 Go 1.16 1.16.15 March 3, 2022 Feb. 16, 2021 8 54 28 2
18 Go 1.15 1.15.15 Aug. 4, 2021 Aug. 11, 2020 8 59 30 2
19 Go 1.14 1.14.15 Feb. 4, 2021 Feb. 25, 2020 8 59 32 2
20 Go 1.13 1.13.15 Aug. 6, 2020 Sept. 3, 2019 8 63 32 2
21 Go 1.12 1.12.17 Feb. 12, 2020 Feb. 25, 2019 10 64 32 2
22 go 1.9 1.9.7 11 67 33 2
23 go 1.8 1.8.7 11 67 34 2
24 go 1.7 1.7.6 11 70 34 2
25 go 1.6 1.6.4 11 72 34 2
26 go 1.5 1.5.4 11 73 34 2
27 go 1.4 1.4.3 14 71 34 2
28 go 1.3 1.3.3 14 71 35 2
29 go 1.2 1.20.7 Aug. 1, 2023 14 72 36 2
30 go 1.12 1.12.9 10 64 32 2
31 go 1.11 1.11.9 10 64 33 2
32 go 1.10 1.10.8 10 67 32 2
33 go 1.1 1.19.13 Sept. 6, 2023 14 73 36 2
34 go 1.0 1.0.3 15 71 34 2
35 go 0.0 0.0.0-20201203163018-be400aefbc4c 14 70 34 2
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
11 5.9
-
MEDIUM
Local
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" su… CWE-787
 Out-of-bounds Write
CVE-2026-39817 cpe:2.3:a:golang:go:*:*
1.26.0


1.25.10
1.26.3
2026-05-13 23:59
2026-05-8
Show GitHub Exploit DB Packet Storm
12 7.5
-
HIGH
Network
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. CWE-835
 Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2026-33814 cpe:2.3:a:golang:go:*:*
1.26.0


1.25.10
1.26.3
2026-05-13 23:41
2026-05-8
Show GitHub Exploit DB Packet Storm
13 7.5
-
HIGH
Network
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CWE-415
 Double Free
CVE-2026-33811 cpe:2.3:a:golang:go:*:*
1.26.0


1.25.10
1.26.3
2026-05-13 05:23
2026-05-8
Show GitHub Exploit DB Packet Storm
14 7.5
-
HIGH
Network
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affe… CWE-295
Improper Certificate Validation 
CVE-2026-33810 cpe:2.3:a:golang:go:*:* 1.26.0 1.26.2 2026-04-21 03:16
2026-04-8
Show GitHub Exploit DB Packet Storm
15 6.1
-
MEDIUM
Network
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG set… CWE-79
Cross-site Scripting
CVE-2026-27142 cpe:2.3:a:golang:go:1.26.0:*
cpe:2.3:a:golang:go:*:*
1.25.8 2026-04-21 23:30
2026-03-7
Show GitHub Exploit DB Packet Storm
16 2.5
-
LOW
Local
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impac… CWE-22
Path Traversal
CVE-2026-27139 cpe:2.3:a:golang:go:1.26.0:*
cpe:2.3:a:golang:go:*:*
1.25.8 2026-04-21 23:32
2026-03-7
Show GitHub Exploit DB Packet Storm
17 5.9
-
MEDIUM
Network
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either di… CWE-295
Improper Certificate Validation 
CVE-2026-27138 cpe:2.3:a:golang:go:1.26.0:* 2026-04-21 23:39
2026-03-7
Show GitHub Exploit DB Packet Storm
18 7.5
-
HIGH
Network
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will n… CWE-295
Improper Certificate Validation 
CVE-2026-27137 cpe:2.3:a:golang:go:1.26.0:* 2026-04-21 23:40
2026-03-7
Show GitHub Exploit DB Packet Storm
19 7.5
-
HIGH
Network
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CWE-425
 Direct Request ('Forced Browsing')
CVE-2026-25679 cpe:2.3:a:golang:go:1.26.0:*
cpe:2.3:a:golang:go:*:*
1.25.8 2026-04-21 23:43
2026-03-7
Show GitHub Exploit DB Packet Storm
20 9.8
-
CRITICAL
Network
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. NVD-CWE-noinfo
CVE-2024-24790 cpe:2.3:a:golang:go:*:* 1.22.0


1.22.4
1.21.11
2024-11-21 17:59
2024-06-6
Show GitHub Exploit DB Packet Storm