CVE-2026-39822

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
golang-1.19
bookworm
vulnerable
golang-1.24
trixie
vulnerable
golang-1.25
forky
vulnerable
sid
1.25.12-1
fixed
golang-1.26
forky
vulnerable
sid
1.26.5-1
fixed
golang-1.27
forky
vulnerable
sid
1.27~rc2-1
fixed