Vulnerability-Lookup

CVE-2026-25679 (GCVE-0-2026-25679)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-10 13:37

Title

Incorrect parsing of IPv6 host literals in net/url

Summary

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Assigner

References

4 references

URL	Tags
https://go.dev/cl/752180
https://go.dev/issue/77578
https://groups.google.com/g/golang-announce/c/Edh…
https://pkg.go.dev/vuln/GO-2026-4601

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/url	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Masaki Hara (https://github.com/qnighy) of Wantedly

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T13:36:26.554241Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:37:02.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseHost"
            },
            {
              "name": "JoinPath"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseRequestURI"
            },
            {
              "name": "URL.Parse"
            },
            {
              "name": "URL.UnmarshalBinary"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.211Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/752180"
        },
        {
          "url": "https://go.dev/issue/77578"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4601"
        }
      ],
      "title": "Incorrect parsing of IPv6 host literals in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25679",
    "datePublished": "2026-03-06T21:28:14.211Z",
    "dateReserved": "2026-02-05T01:33:41.943Z",
    "dateUpdated": "2026-03-10T13:37:02.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-25679",
      "date": "2026-05-19",
      "epss": "0.00044",
      "percentile": "0.13611"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25679\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-03-06T22:16:00.720\",\"lastModified\":\"2026-04-21T14:43:03.800\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.\"},{\"lang\":\"es\",\"value\":\"url.Parse valid\u00f3 insuficientemente el componente de host/autoridad y acept\u00f3 algunas URL inv\u00e1lidas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-425\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.8\",\"matchCriteriaId\":\"2D293CC0-B163-4E62-B985-52FB6ECA64C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A40FE3CB-0D03-462B-8A19-4DF1920ABE82\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/752180\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://go.dev/issue/77578\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\",\"source\":\"security@golang.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4601\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25679\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T13:36:26.554241Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T13:36:57.330Z\"}}], \"cna\": {\"title\": \"Incorrect parsing of IPv6 host literals in net/url\", \"credits\": [{\"lang\": \"en\", \"value\": \"Masaki Hara (https://github.com/qnighy) of Wantedly\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"net/url\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.25.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.26.0-0\", \"lessThan\": \"1.26.1\", \"versionType\": \"semver\"}], \"packageName\": \"net/url\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"parseHost\"}, {\"name\": \"JoinPath\"}, {\"name\": \"Parse\"}, {\"name\": \"ParseRequestURI\"}, {\"name\": \"URL.Parse\"}, {\"name\": \"URL.UnmarshalBinary\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/752180\"}, {\"url\": \"https://go.dev/issue/77578\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4601\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-1286: Improper Validation of Syntactic Correctness of Input\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-03-06T21:28:14.211Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25679\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T13:37:02.459Z\", \"dateReserved\": \"2026-02-05T01:33:41.943Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-03-06T21:28:14.211Z\", \"assignerShortName\": \"Go\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

alsa-2026:11412

Vulnerability from osv_almalinux

Published

2026-04-28 00:00

Modified

2026-04-29 11:33

Summary

Important: yggdrasil-worker-package-manager security update

Details

yggdrasil-worker-package-manager is a simple package manager yggd worker. It knows how to install and remove packages, add, remove, enable and disable repositories, and does rudimentary detection of the host it is running on to guess the package manager to use. It only installs packages that match one of the provided allow-pattern regular expressions.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:11412	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/10/ALSA-2026-11412.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "yggdrasil-worker-package-manager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.3-5.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "yggdrasil-worker-package-manager is a simple package manager yggd worker. It knows how to install and remove packages, add, remove, enable and disable repositories, and does rudimentary detection of the host it is running on to guess the package manager to use. It only installs packages that match one of the provided allow-pattern regular expressions.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:11412",
  "modified": "2026-04-29T11:33:24Z",
  "published": "2026-04-28T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:11412"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-11412.html"
    }
  ],
  "related": [
    "CVE-2026-25679"
  ],
  "summary": "Important: yggdrasil-worker-package-manager security update"
}

alsa-2026:11413

Vulnerability from osv_almalinux

Published

2026-04-28 00:00

Modified

2026-04-29 11:31

Summary

Important: yggdrasil security update

Details

yggdrasil is a system daemon that subscribes to topics on an MQTT broker and routes any data received on the topics to an appropriate child "worker" process, exchanging data with its worker processes through a D-Bus message broker.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:11413	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/10/ALSA-2026-11413.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "yggdrasil"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.8-4.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "yggdrasil-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.8-4.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "yggdrasil is a system daemon that subscribes to topics on an MQTT broker and routes any data received on the topics to an appropriate child \"worker\" process, exchanging data with its worker processes through a D-Bus message broker.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:11413",
  "modified": "2026-04-29T11:31:50Z",
  "published": "2026-04-28T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:11413"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-11413.html"
    }
  ],
  "related": [
    "CVE-2026-25679"
  ],
  "summary": "Important: yggdrasil security update"
}

alsa-2026:13642

Vulnerability from osv_almalinux

Published

2026-05-05 00:00

Modified

2026-05-06 12:45

Summary

Important: image-builder security update

Details

A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:13642	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/10/ALSA-2026-13642.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "image-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31-5.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:13642",
  "modified": "2026-05-06T12:45:30Z",
  "published": "2026-05-05T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:13642"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-13642.html"
    }
  ],
  "related": [
    "CVE-2026-25679"
  ],
  "summary": "Important: image-builder security update"
}

alsa-2026:13643

Vulnerability from osv_almalinux

Published

2026-05-05 00:00

Modified

2026-05-06 09:54

Summary

Important: osbuild-composer security update

Details

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:13643	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/10/ALSA-2026-13643.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "osbuild-composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "149-6.el10_1.alma.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "osbuild-composer-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "149-6.el10_1.alma.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "osbuild-composer-worker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "149-6.el10_1.alma.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:13643",
  "modified": "2026-05-06T09:54:22Z",
  "published": "2026-05-05T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:13643"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-13643.html"
    }
  ],
  "related": [
    "CVE-2026-25679"
  ],
  "summary": "Important: osbuild-composer security update"
}

alsa-2026:13671

Vulnerability from osv_almalinux

Published

2026-05-05 00:00

Modified

2026-05-05 17:13

Summary

Important: image-builder security update

Details

A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:13671	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/9/ALSA-2026-13671.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "image-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31-4.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:13671",
  "modified": "2026-05-05T17:13:15Z",
  "published": "2026-05-05T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:13671"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-13671.html"
    }
  ],
  "related": [
    "CVE-2026-25679"
  ],
  "summary": "Important: image-builder security update"
}

alsa-2026:16875

Vulnerability from osv_almalinux

Published

2026-05-13 00:00

Modified

2026-05-13 09:18

Summary

Important: git-lfs security update

Details

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:16875	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32280	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://bugzilla.redhat.com/2456339	REPORT
	https://errata.almalinux.org/8/ALSA-2026-16875.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.1-10.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n  * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:16875",
  "modified": "2026-05-13T09:18:42Z",
  "published": "2026-05-13T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:16875"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456339"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-16875.html"
    }
  ],
  "related": [
    "CVE-2026-25679",
    "CVE-2026-32282",
    "CVE-2026-32283",
    "CVE-2026-32280"
  ],
  "summary": "Important: git-lfs security update"
}

alsa-2026:5941

Vulnerability from osv_almalinux

Published

2026-03-26 00:00

Modified

2026-03-27 10:26

Summary

Important: golang security update

Details

The golang packages provide the Go programming language compiler.

Security Fix(es):

cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:5941	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-61731	REPORT
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2434433	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/10/ALSA-2026-5941.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "go-toolset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "golang"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "golang-bin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "golang-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "golang-misc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "golang-race"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "golang-src"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "golang-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el10_1.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The golang packages provide the Go programming language compiler.  \n\nSecurity Fix(es):  \n\n  * cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:5941",
  "modified": "2026-03-27T10:26:32Z",
  "published": "2026-03-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:5941"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-61731"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2434433"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-5941.html"
    }
  ],
  "related": [
    "CVE-2025-61731",
    "CVE-2026-25679"
  ],
  "summary": "Important: golang security update"
}

alsa-2026:5942

Vulnerability from osv_almalinux

Published

2026-03-26 00:00

Modified

2026-03-27 10:17

Summary

Important: golang security update

Details

The golang packages provide the Go programming language compiler.

Security Fix(es):

cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:5942	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-61731	REPORT
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2434433	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/9/ALSA-2026-5942.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "go-toolset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "golang"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "golang-bin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "golang-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "golang-misc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "golang-race"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "golang-src"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "golang-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.8-1.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The golang packages provide the Go programming language compiler.  \n\nSecurity Fix(es):  \n\n  * cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:5942",
  "modified": "2026-03-27T10:17:44Z",
  "published": "2026-03-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:5942"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-61731"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2434433"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-5942.html"
    }
  ],
  "related": [
    "CVE-2025-61731",
    "CVE-2026-25679"
  ],
  "summary": "Important: golang security update"
}

alsa-2026:6344

Vulnerability from osv_almalinux

Published

2026-04-01 00:00

Modified

2026-04-03 09:56

Summary

Important: grafana security update

Details

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:6344	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/10/ALSA-2026-6344.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.6-23.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "grafana-selinux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.6-23.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB.   \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:6344",
  "modified": "2026-04-03T09:56:37Z",
  "published": "2026-04-01T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:6344"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-6344.html"
    }
  ],
  "related": [
    "CVE-2026-25679"
  ],
  "summary": "Important: grafana security update"
}

alsa-2026:6382

Vulnerability from osv_almalinux

Published

2026-04-01 00:00

Modified

2026-04-02 09:12

Summary

Important: grafana security update

Details

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:6382	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://errata.almalinux.org/9/ALSA-2026-6382.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.6-19.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "grafana-selinux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.6-19.el9_7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB.   \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:6382",
  "modified": "2026-04-02T09:12:36Z",
  "published": "2026-04-01T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:6382"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-6382.html"
    }
  ],
  "related": [
    "CVE-2026-25679"
  ],
  "summary": "Important: grafana security update"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25679 (GCVE-0-2026-25679)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature