golang.org/x/net (go) security advisories

UNKNOWN

Go

CVE-2026-39821

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

May 22, 2026

UNKNOWN

Go

CVE-2026-25680

Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

May 22, 2026

UNKNOWN

Go

CVE-2026-42502

Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

May 22, 2026

UNKNOWN

Go

CVE-2026-27136

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

May 22, 2026

UNKNOWN

Go

CVE-2026-42506

Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

May 22, 2026

UNKNOWN

Go

CVE-2026-25681

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

May 22, 2026

MEDIUM 5.3

SwiftURL KEV

CVE-2023-44487

HTTP/2 Stream Cancellation Attack

Oct 10, 2023

UNKNOWN

Go

CVE-2025-47911

Quadratic parsing complexity in golang.org/x/net/html

Feb 5, 2026

UNKNOWN

Go

CVE-2025-58190

Infinite parsing loop in golang.org/x/net

Feb 5, 2026

UNKNOWN

Go

CVE-2026-27141

Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net

Feb 26, 2026

UNKNOWN

Go

CVE-2026-33814

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

May 7, 2026

MEDIUM 4.4

Go

CVE-2025-22870

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Mar 12, 2025

UNKNOWN

Go

CVE-2025-22870

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Mar 12, 2025

UNKNOWN

Go

CVE-2023-39325

HTTP/2 rapid reset can cause excessive work in net/http

Oct 11, 2023

UNKNOWN

Go

CVE-2024-45338

Non-linear parsing of case-insensitive content in golang.org/x/net/html

Dec 18, 2024

UNKNOWN

Go

CVE-2025-22872

golang.org/x/net vulnerable to Cross-site Scripting

Apr 16, 2025

UNKNOWN

Go

CVE-2025-22872

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Apr 16, 2025

UNKNOWN

Go

CVE-2022-41717

Excessive memory growth in net/http and golang.org/x/net/http2

Dec 8, 2022

MEDIUM 5.3

Go

CVE-2022-41717

golang.org/x/net/http2 vulnerable to possible excessive memory growth

Dec 8, 2022

HIGH 7.5

Go

CVE-2023-39325

HTTP/2 rapid reset can cause excessive work in net/http

Oct 11, 2023

UNKNOWN

Go

CVE-2023-3978

Improper rendering of text nodes in golang.org/x/net/html

Aug 2, 2023

UNKNOWN

Go

CVE-2023-45288

HTTP/2 CONTINUATION flood in net/http

Apr 3, 2024

MEDIUM 5.9

Go

CVE-2021-31525

golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion

May 24, 2022

UNKNOWN

Go

CVE-2021-33194

Infinite loop when parsing inputs in golang.org/x/net/html

Feb 17, 2022

UNKNOWN

Go

CVE-2018-17847

Panic when parsing certain inputs in golang.org/x/net/html

Jul 1, 2022

MEDIUM 5.3

Go

CVE-2023-45288

net/http, x/net/http2: close connections when receiving too many headers

Apr 4, 2024

HIGH 7.5

Go

CVE-2018-17847

golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer

May 13, 2022

UNKNOWN

Go

CVE-2022-41723

Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net

Feb 16, 2023

HIGH 7.5

Go

CVE-2019-9512

golang.org/x/net/http vulnerable to a reset flood

May 24, 2022

HIGH 7.5

Go

CVE-2019-9512

golang.org/x/net/http vulnerable to ping floods

May 24, 2022

HIGH 7.5

Go

CVE-2021-33194

golang.org/x/net/html Infinite Loop vulnerability

May 24, 2022

UNKNOWN

Go

CVE-2021-31525

Panic due to large headers in net/http and golang.org/x/net/http/httpguts

Jul 15, 2022

HIGH 7.5

Go

CVE-2022-41723

golang.org/x/net vulnerable to Uncontrolled Resource Consumption

Feb 17, 2023

UNKNOWN

Go

CVE-2022-27664

Denial of service in net/http and golang.org/x/net/http2

Sep 12, 2022

HIGH 7.5

Go

CVE-2022-41721

golang.org/x/net/http2/h2c vulnerable to request smuggling attack

Jan 14, 2023

HIGH 7.5

Go

CVE-2018-17847

golang.org/x/net/html Improper Validation of Array Index vulnerability

May 13, 2022

HIGH 7.5

Go

CVE-2022-27664

golang.org/x/net/http2 Denial of Service vulnerability

Sep 7, 2022

UNKNOWN

Go

CVE-2022-41721

Request smuggling due to improper request handling in golang.org/x/net/http2/h2c

Jan 13, 2023

MEDIUM 6.1

Go

CVE-2023-3978

Improper rendering of text nodes in golang.org/x/net/html

Aug 2, 2023

UNKNOWN

Go

CVE-2019-9512

Reset flood in net/http and golang.org/x/net/http

Aug 1, 2022

HIGH 7.5

Go

CVE-2018-17143

golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer

May 13, 2022

HIGH 7.5

Go

CVE-2018-17142

golang.org/x/net/html NULL Pointer Dereference vulnerability

May 13, 2022

HIGH 7.5

Go

CVE-2018-17075

golang.org/x/net/html NULL Pointer Dereference vulnerability

May 13, 2022

HIGH 7.5

Go

CVE-2018-17846

x/net/html Vulnerable to DoS During HTML Parsing

Sep 25, 2023

UNKNOWN

Go

CVE-2021-44716

Unbounded memory growth in net/http and golang.org/x/net/http2

Jul 15, 2022

UNKNOWN

Go

CVE-2018-17143

Panic on unconsidered isindex and template combination in golang.org/x/net/html

Jul 6, 2022

UNKNOWN

Go

CVE-2018-17142

Incorrect parsing of nested templates in golang.org/x/net/html

Jul 1, 2022

UNKNOWN

Go

CVE-2018-17075

Panic when parsing malformed HTML in golang.org/x/net/html

Apr 14, 2021

UNKNOWN

Go

CVE-2018-17846

Infinite loop due to improper handling of "select" tags in golang.org/x/net/html

Apr 14, 2021

golang.org/x/net

Vulnerabilities

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

HTTP/2 Stream Cancellation Attack

Quadratic parsing complexity in golang.org/x/net/html

Infinite parsing loop in golang.org/x/net

Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

HTTP/2 rapid reset can cause excessive work in net/http

Non-linear parsing of case-insensitive content in golang.org/x/net/html

golang.org/x/net vulnerable to Cross-site Scripting

Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Excessive memory growth in net/http and golang.org/x/net/http2

golang.org/x/net/http2 vulnerable to possible excessive memory growth

HTTP/2 rapid reset can cause excessive work in net/http

Improper rendering of text nodes in golang.org/x/net/html

HTTP/2 CONTINUATION flood in net/http

golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion

Infinite loop when parsing inputs in golang.org/x/net/html

Panic when parsing certain inputs in golang.org/x/net/html

net/http, x/net/http2: close connections when receiving too many headers

golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer

Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net

golang.org/x/net/http vulnerable to a reset flood

golang.org/x/net/http vulnerable to ping floods

golang.org/x/net/html Infinite Loop vulnerability

Panic due to large headers in net/http and golang.org/x/net/http/httpguts

golang.org/x/net vulnerable to Uncontrolled Resource Consumption

Denial of service in net/http and golang.org/x/net/http2

golang.org/x/net/http2/h2c vulnerable to request smuggling attack

golang.org/x/net/html Improper Validation of Array Index vulnerability

golang.org/x/net/http2 Denial of Service vulnerability

Request smuggling due to improper request handling in golang.org/x/net/http2/h2c

Improper rendering of text nodes in golang.org/x/net/html

Reset flood in net/http and golang.org/x/net/http

golang.org/x/net/html has Improper Restriction of Operations within the Bounds of a Memory Buffer

golang.org/x/net/html NULL Pointer Dereference vulnerability

golang.org/x/net/html NULL Pointer Dereference vulnerability

x/net/html Vulnerable to DoS During HTML Parsing

Unbounded memory growth in net/http and golang.org/x/net/http2

Panic on unconsidered isindex and template combination in golang.org/x/net/html

Incorrect parsing of nested templates in golang.org/x/net/html

Panic when parsing malformed HTML in golang.org/x/net/html

Infinite loop due to improper handling of "select" tags in golang.org/x/net/html

Start Securing