Vulnerability Report: GO-2026-4601
- CVE-2026-25679
- Affects: net/url
- Published: Mar 06, 2026
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Affected Packages
-
PathVersionsSymbols
-
before go1.25.8, from go1.26.0-0 before go1.26.1
5 affected symbols
Aliases
References
- https://go.dev/cl/752180
- https://go.dev/issue/77578
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
- https://vuln.go.dev/ID/GO-2026-4601.json
Credits
- Masaki Hara (https://github.com/qnighy) of Wantedly
Feedback
See anything missing or incorrect?
Suggest an edit to this report.