Primary

Context

Go net/textproto Package Error Injection Vulnerability

Vulnerability

Patched

A vulnerability exists in the Go programming language's net/textproto package, where functions include arbitrary input in error messages without proper escaping. This flaw could enable an attacker to inject misleading content, such as terminal control bytes, into errors that are printed or logged. The issue affects Go versions prior to 1.25.11 and from 1.26.0 up to but not including 1.26.4.

Impact

Exploitation of this vulnerability could lead to the injection of unescaped, attacker-controlled content into error messages, potentially misleading users or causing unintended effects in log outputs.

Remediation

Users can upgrade to Go versions 1.26.4 or 1.25.11, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: Jun 2, 2026, 11:19 PM

Updated: Jun 2, 2026, 11:19 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

5.3

remediation

7.7

relevance

9.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

5.3

remediation

7.7

relevance

9.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go net/textproto Package Error Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Go

Go net/textproto

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating