CVE-2026-42507

EUVD-2026-34040
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
golang-1.19
bookworm
vulnerable
golang-1.24
trixie
vulnerable
golang-1.25
forky
vulnerable
sid
vulnerable
golang-1.26
forky
vulnerable
sid
vulnerable
Vulnerability Media Exposure
References
https://go.dev/cl/777060
https://go.dev/issue/79346
https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
https://pkg.go.dev/vuln/GO-2026-5039