[Git][security-tracker-team/security-tracker][master] new go issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 8 12:12:17 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5c46a819 by Moritz Muehlenhoff at 2026-05-08T13:05:44+02:00
new go issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -171,9 +171,23 @@ CVE-2026-42880 (Argo CD is a declarative, GitOps continuous delivery tool for Ku
 CVE-2026-42826 (Exposure of sensitive information to an unauthorized actor in Azure De ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-42501 (A malicious module proxy can exploit a flaw in the go command's valida ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/775321
+	NOTE: https://github.com/golang/go/issues/79070
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-42499 (Pathological inputs could cause DoS through consumePhrase when parsing ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/771520
+	NOTE: https://github.com/golang/go/issues/78987
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-42449 (n8n-MCP is an MCP server that provides AI assistants access to n8n nod ...)
 	NOT-FOR-US: n8n-MCP
 CVE-2026-42279 (solidtime is an open-source time-tracking app. In version 0.12.0, the  ...)
@@ -246,19 +260,68 @@ CVE-2026-40213 (OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') a
 CVE-2026-3508 (An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS Syste ...)
 	NOT-FOR-US: ASUS
 CVE-2026-39836 (The Dial and LookupPort functions panic on Windows when provided with  ...)
-	TODO: check
+	- golang-1.25 <not-affected> (Windows-specific)
+	- golang-1.26 <not-affected> (Windows-specific)
+	- golang-1.24 <not-affected> (Windows-specific)
+	- golang-1.19 <not-affected> (Windows-specific)
+	- golang-1.15 <not-affected> (Windows-specific)
+	NOTE: https://go-review.googlesource.com/c/go/+/775320
+	NOTE: https://github.com/golang/go/issue/79006
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39826 (If a trusted template author were to write a <script> tag containing a ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/771180
+	NOTE: https://github.com/golang/go/issues/78981
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39825 (ReverseProxy can forward queries containing parameters not visible to  ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/770541
+	NOTE: https://github.com/golang/go/issues/78948
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39823 (CVE-2026-27142 fixed a vulnerability in which URLs were not correctly  ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/769920
+	NOTE: https://github.com/golang/go/issues/78913
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39820 (Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/759940
+	NOTE: https://github.com/golang/go/issues/78566
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39819 (The "go bug" command writes to two files with predictable names in the ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/763882
+	NOTE: https://github.com/golang/go/issues/78584
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39817 (The "go tool pack" subcommand (usually used only by the compiler as an ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/767520
+	NOTE: https://github.com/golang/go/issues/78778
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-35435 (Improper access control in Azure AI Foundry M365 published agents allo ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-35428 (Improper neutralization of special elements used in a command ('comman ...)
@@ -272,7 +335,14 @@ CVE-2026-33823 (Improper authorization in Microsoft Teams allows an authorized a
 CVE-2026-33814 (When processing HTTP/2 SETTINGS frames, transport will enter an infini ...)
 	TODO: check
 CVE-2026-33811 (When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ...)
-	TODO: check
+	- golang-1.25 1.25.10-1
+	- golang-1.26 1.26.3-1
+	- golang-1.24 <removed>
+	- golang-1.19 <removed>
+	- golang-1.15 <removed>
+	NOTE: https://go-review.googlesource.com/c/go/+/767860
+	NOTE: https://github.com/golang/go/issues/78803
+	NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-33111 (Improper neutralization of special elements used in a command ('comman ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-33109 (Improper access control in Azure Managed Instance for Apache Cassandra ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c46a81939db26c10ca630dc47c6e5e0ea6e942c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c46a81939db26c10ca630dc47c6e5e0ea6e942c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260508/b51cafcf/attachment.htm>

More information about the debian-security-tracker-commits mailing list