CVE-2026-42507 | THREATINT

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

PUBLISHED Reserved 2026-04-28 | Published 2026-06-02 | Updated 2026-06-03 | Assigner Go

Problem types

CWE-532: Insertion of Sensitive Information into Log File

Product status

Default status

unaffected

Any version before 1.25.11

affected

1.26.0-0 (semver) before 1.26.4

affected

References

go.dev/issue/79346

go.dev/cl/777060

groups.google.com/g/golang-announce/c/tKs3rmcBcKw

pkg.go.dev/vuln/GO-2026-5039

cve.org (CVE-2026-42507)

nvd.nist.gov (CVE-2026-42507)

Download JSON