Vulnerabilities > Golang > Critical
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-09-08 | CVE-2023-39320 | Code Injection vulnerability in Golang GO 1.21.0/1.21.00 The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. | 9.8 |
2023-06-08 | CVE-2023-29405 | Injection vulnerability in multiple products The go command may execute arbitrary code at build time when using cgo. | 9.8 |
2023-06-08 | CVE-2023-29404 | Code Injection vulnerability in multiple products The go command may execute arbitrary code at build time when using cgo. | 9.8 |
2023-06-08 | CVE-2023-29402 | Code Injection vulnerability in multiple products The go command may generate unexpected code at build time when using cgo. | 9.8 |
2023-05-11 | CVE-2023-24540 | Unspecified vulnerability in Golang GO Not all valid JavaScript whitespace characters are considered to be whitespace. | 9.8 |
2023-04-06 | CVE-2023-24538 | Code Injection vulnerability in Golang GO Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. | 9.8 |
2022-02-11 | CVE-2022-23806 | Unchecked Return Value vulnerability in multiple products Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | 9.1 |
2021-10-18 | CVE-2021-38297 | Classic Buffer Overflow vulnerability in multiple products Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. | 9.8 |
2019-08-13 | CVE-2019-14809 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. | 9.8 |
2018-02-16 | CVE-2018-7187 | OS Command Injection vulnerability in multiple products The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | 9.3 |