On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

amazon_alas ALAS2023-2026-1482: Amazon Linux 2023 Security Advisory:ALAS2023-2026-1482

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0977-1 advisory.

    Update to go 1.25.8 (bsc#1244485, jsc#SLE-18320):

    - CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling     (bsc#1257692).
    - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session     resumption does       not account for the expiration of full certificate chain (bsc#1256818).
    - CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
    - CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
    - CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).

    Changelog:

     * go#77253 cmd/compile: miscompile of global array initialization
     * go#77406 os: Go 1.25.x regression on RemoveAll for windows
     * go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
     * go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-     variable flag in        pkg-config
     * go#77531 net/smtp: expiry date of localhostCert for testing is too short
     * go#75844 cmd/compile: OOM killed on linux/arm64
     * go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
     * go#77425 crypto/tls: CL 737700 broke session resumption on macOS

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0947-1 advisory.

    Update to go 1.25.8 (bsc#1244485, jsc#SLE-18320):

    - CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling     (bsc#1257692).
    - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session     resumption does       not account for the expiration of full certificate chain (bsc#1256818).
    - CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
    - CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
    - CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).

    Changelog:

     * go#77253 cmd/compile: miscompile of global array initialization
     * go#77406 os: Go 1.25.x regression on RemoveAll for windows
     * go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
     * go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-     variable flag in        pkg-config
     * go#77531 net/smtp: expiry date of localhostCert for testing is too short
     * go#75844 cmd/compile: OOM killed on linux/arm64
     * go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
     * go#77425 crypto/tls: CL 737700 broke session resumption on macOS

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of golang installed on the remote host is prior to 1.25.8-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3203 advisory.

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
    (CVE-2026-25679)

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the     returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of     this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem     without permitting reading or writing files outside the root. (CVE-2026-27139)

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS     if the meta tag also has an http-equiv attribute with the value refresh. A new GODEBUG setting has been     added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content     attribute which follow url= by setting htmlmetacontenturlescape=0. (CVE-2026-27142)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of golist installed on the remote host is prior to 0.10.1-10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3202 advisory.

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
    (CVE-2026-25679)

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the     returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of     this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem     without permitting reading or writing files outside the root. (CVE-2026-27139)

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS     if the meta tag also has an http-equiv attribute with the value refresh. A new GODEBUG setting has been     added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content     attribute which follow url= by setting htmlmetacontenturlescape=0. (CVE-2026-27142)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0876-1 advisory.

    Update to go1.26.1 (bsc#1255111):

    - CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
    - CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints (bsc#1259266).
    - CVE-2026-27138: crypto/x509: panic in name constraint checking for malformed certificates (bsc#1259267).
    - CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
    - CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).

    Changelog:

    * go#77252 cmd/compile: miscompile of global array initialization
    * go#77407 os: Go 1.25.x regression on RemoveAll for windows
    * go#77474 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable     flag in       pkg-config
    * go#77529 cmd/fix, x/tools/go/analysis/passes/modernize: stringscut: OOB panic in indexArgValid analyzing       'buf.Bytes()' call
    * go#77532 net/smtp: expiry date of localhostCert for testing is too short
    * go#77536 cmd/compile: internal compiler error: 'main.func1': not lowered: v15, Load STRUCT PTR SSA
    * go#77618 strings: HasSuffix doesn't work correctly for multibyte runes in go 1.26
    * go#77623 cmd/compile: internal compiler error on : 'tried to free an already free register' with generic     function       and type >= 192 bytes
    * go#77624 cmd/fix, x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when combining two       strings.Builders
    * go#77680 cmd/link: TestFlagW/-w_-linkmode=external fails on illumos
    * go#77766 cmd/fix,x/tools/go/analysis/passes/modernize: rangeint uses target platform's type in the range     expression,       breaking other platforms
    * go#77780 reflect: breaking change for reflect.Value.Interface behaviour
    * go#77786 cmd/compile: rewriteFixedLoad does not properly sign extend AuxInt
    * go#77803 cmd/fix,x/tools/go/analysis/passes/modernize: reflect.TypeOf(nil) transformed into       reflect.TypeFor[untyped nil]()
    * go#77804 cmd/fix,x/tools/go/analysis/passes/modernize: minmax breaks select statements
    * go#77805 cmd/fix, x/tools/go/analysis/passes/modernize: waitgroup leads to a compilation error
    * go#77807 cmd/fix,x/tools/go/analysis/passes/modernize: stringsbuilder ignores variables if they are used     multiple       times
    * go#77849 cmd/fix,x/tools/go/analysis/passes/modernize: stringscut rewrite changes behavior
    * go#77860 cmd/go: change go mod init default go directive back to 1.N
    * go#77899 cmd/fix, x/tools/go/analysis/passes/modernize: bad rangeint rewriting
    * go#77904 x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when GenDecl is a block     declaration

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0875-1 advisory.

    Update to go1.25.8 (bsc#1244485):

    - CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
    - CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
    - CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).

    Changelog:

    * go#77253 cmd/compile: miscompile of global array initialization
    * go#77406 os: Go 1.25.x regression on RemoveAll for windows
    * go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
    * go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable     flag in       pkg-config
    * go#77531 net/smtp: expiry date of localhostCert for testing is too short

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the     returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of     this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem     without permitting reading or writing files outside the root. (CVE-2026-27139)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Golang running on the remote host is prior to 1.25.8, or 1.26.x prior to 1.26.1. It is, therefore, affected by multiple vulnerabilities as referenced in the advisory.

  - The Go standard library function net/url.Parse insufficiently validated the host/authority component and     accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The     function should have rejected this as invalid. To prevent this behavior, net/url.Parse now rejects IPv6     literals that do not appear at the start of the host subcomponent of a URL. (CVE-2026-25679)

  - A TOCTOU (time-of-check/time-of-use) race condition exists in os.Root on Unix platforms. The     File.ReadDir and File.Readdir methods populate os.FileInfo using lstat, which can escape the root     boundary through a symlink race condition. An attacker can exploit this by replacing a directory     with a symlink pointing outside the root between listing directory contents and calling     DirEntry.Info(), allowing retrieval of file metadata (size, modification time, permissions) for     files outside the root. This does not permit reading or writing files outside the root.
    (CVE-2026-27139)

  - Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow     XSS if the meta tag also has an http-equiv attribute with the value 'refresh'. A new GODEBUG setting has     been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta     content attribute which follow 'url=' by setting htmlmetacontenturlescape=0. (CVE-2026-27142)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
303590	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.26-openssl (SUSE-SU-2026:0976-1)	Nessus	SuSE Local Security Checks	medium
303589	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.25-openssl (SUSE-SU-2026:0977-1)	Nessus	SuSE Local Security Checks	critical
303578	SUSE SLES15 Security Update : go1.26-openssl (SUSE-SU-2026:0993-1)	Nessus	SuSE Local Security Checks	medium
303295	SUSE SLES15 Security Update : go1.25-openssl (SUSE-SU-2026:0947-1)	Nessus	SuSE Local Security Checks	critical
303096	Amazon Linux 2 : golang, --advisory ALAS2-2026-3203 (ALAS-2026-3203)	Nessus	Amazon Linux Local Security Checks	medium
303088	Amazon Linux 2 : golist, --advisory ALAS2-2026-3202 (ALAS-2026-3202)	Nessus	Amazon Linux Local Security Checks	medium
302111	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.26 (SUSE-SU-2026:0876-1)	Nessus	SuSE Local Security Checks	medium
302109	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.25 (SUSE-SU-2026:0875-1)	Nessus	SuSE Local Security Checks	medium
302094	openSUSE 16 Security Update : go1.26 (openSUSE-SU-2026:20342-1)	Nessus	SuSE Local Security Checks	medium
301396	Linux Distros Unpatched Vulnerability : CVE-2026-27139	Nessus	Misc.	low
301252	Golang 1.25.x < 1.25.8 / 1.26.x < 1.26.1 Multiple Vulnerabilities	Nessus	Misc.	medium

Detections

Analytics

CVE-2026-27139

low

Tenable Plugins

Coming Soon

medium

critical

medium

critical

medium

medium

medium

medium

medium

low

medium