CVE-2026-25679
Modified
Modified - Updated After Analysis
Improper URL Validation in Go's url.Parse Causes Security Risks
Vulnerability report for CVE-2026-25679, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-06
Last updated on: 2026-07-02
Assigner: Go Project
Description
Description
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.8 (exc) |
| golang | go | 1.26.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-425 | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
| CWE-1286 | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. |