Go toolchain
CVE Severity Distribution (All Time)
Timeline Overview
Recent CVEs
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its ou…
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_…
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via th…
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed …
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "…
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a…
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running a…
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses…
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags speci…
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symb…