CVE-2026-25679 | THREATINT

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

PUBLISHED Reserved 2026-02-05 | Published 2026-03-06 | Updated 2026-03-06 | Assigner Go

Problem types

CWE-1286: Improper Validation of Syntactic Correctness of Input

Product status

Default status

unaffected

Any version before 1.25.8

affected

1.26.0-0 (semver) before 1.26.1

affected

Credits

Masaki Hara (https://github.com/qnighy) of Wantedly

References

go.dev/cl/752180

go.dev/issue/77578

groups.google.com/g/golang-announce/c/EdhZqrQ98hk

pkg.go.dev/vuln/GO-2026-4601

cve.org (CVE-2026-25679)

nvd.nist.gov (CVE-2026-25679)

Download JSON

help @ threatint.eu