Description
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Scores
CVSS v3
7.5
EPSS
0.0005
EPSS Percentile
15.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-425
Status
published
Products (4)
Go standard library/net/url
< 1.25.8
Go standard library/net/url
1.26.0-0 - 1.26.1
golang/go
1.26.0
golang/go
< 1.25.8
Published
Mar 06, 2026
Tracked Since
Mar 07, 2026