Vulnerabilities > Golang > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-09-08 CVE-2023-39320 Code Injection vulnerability in Golang GO 1.21.0/1.21.00
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module.
network
low complexity
golang CWE-94
critical
 9.8
9.8
2023-06-08 CVE-2023-29405 Injection vulnerability in multiple products
The go command may execute arbitrary code at build time when using cgo.
network
low complexity
golang fedoraproject CWE-74
critical
 9.8
9.8
2023-06-08 CVE-2023-29404 Code Injection vulnerability in multiple products
The go command may execute arbitrary code at build time when using cgo.
network
low complexity
golang fedoraproject CWE-94
critical
 9.8
9.8
2023-06-08 CVE-2023-29402 Code Injection vulnerability in multiple products
The go command may generate unexpected code at build time when using cgo.
network
low complexity
golang fedoraproject CWE-94
critical
 9.8
9.8
2023-05-11 CVE-2023-24540 Unspecified vulnerability in Golang GO
Not all valid JavaScript whitespace characters are considered to be whitespace.
network
low complexity
golang
critical
 9.8
9.8
2023-04-06 CVE-2023-24538 Code Injection vulnerability in Golang GO
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected.
network
low complexity
golang CWE-94
critical
 9.8
9.8
2022-02-11 CVE-2022-23806 Unchecked Return Value vulnerability in multiple products
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
network
low complexity
golang netapp debian CWE-252
critical
 9.1
9.1
2021-10-18 CVE-2021-38297 Classic Buffer Overflow vulnerability in multiple products
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
network
low complexity
golang fedoraproject CWE-120
critical
 9.8
9.8
2019-08-13 CVE-2019-14809 net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications.
network
low complexity
golang debian
critical
 9.8
9.8
2018-02-16 CVE-2018-7187 OS Command Injection vulnerability in multiple products
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
network
golang debian CWE-78
critical
 9.3
9.3