CVE-2026-25679

HIGH

Go standard library net/url < 1.25.8 and 1.26.0 - Direct Request via Invalid URL Host Parsing

Title source: llm

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Core 4

Core References

Various Sources

Various Sources

Issue Tracking

Mailing List

CVSS v3 7.5

EPSS 0.0052

EPSS Percentile 39.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

CWE

CWE-425

Status published

Products (4)

Go standard library/net/url < 1.25.8

Go standard library/net/url 1.26.0-0 - 1.26.1

golang/go 1.26.0

golang/go < 1.25.8

Published Mar 06, 2026

Tracked Since Mar 07, 2026