CVE-2026-25679

Опубликовано: 06 мар. 2026

Источник: debian

EPSS Низкий

Описание

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Пакет	Статус	Версия исправления	Релиз	Тип
golang-1.26	fixed	1.26.1-1		package
golang-1.25	fixed	1.25.8-1		package
golang-1.24	not-affected			package
golang-1.19	not-affected			package
golang-1.15	removed			package
golang-1.15	not-affected		bullseye	package

https://github.com/golang/go/issues/77578
Introduced with: https://github.com/golang/go/commit/f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd (go1.26rc1)
Intorduced with: https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2)
Introduced with: https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea (go1.24.8)
Fixed by: https://github.com/golang/go/commit/65c7d7a9fb3a9d1fbf1e702a211b8cc3a7bedb53 (go1.26.1)
Fixed by: https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 (go1.25.8)
Fix for CVE-2026-25679 depends on the fix for CVE-2025-47912

EPSS

Процентиль: 9%

0.00031

Низкий

CVE-2026-25679

CVSS3: 7.5

ubuntu

20 дней назад

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-25679

CVSS3: 7.5

redhat

20 дней назад

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-25679

CVSS3: 7.5

nvd

20 дней назад

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-25679

msrc

15 дней назад

Incorrect parsing of IPv6 host literals in net/url

GHSA-j3gx-2473-5fp8

CVSS3: 7.5

github

20 дней назад

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

EPSS

Процентиль: 9%

0.00031

Низкий